Mar 09 2021

Feds Assess Fallout from Compromise of Microsoft Exchange Servers

At least 60,000 U.S. organizations have reportedly been impacted by the breach.

Federal agencies are still working to assess the fallout of another wide-ranging cybersecurity breach, this time one affecting tens of thousands of organizations that use Microsoft’s Exchange Server system.

Microsoft released software updates March 2 to patch the vulnerability, and the security website Krebs on Security first reported March 5 that at least 30,000 U.S. organizations were affected. Over the weekend, the figure ballooned as the full scope of the breach came into focus. As Bloomberg News reports:

The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.

On March 3, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security issued an alert on the breach. CISA also issued an emergency directive to federal agencies on March 3 to identify affected systems, immediately disconnect Microsoft Exchange on-premises servers, not reconnect them and identify and remove “all threat actor-controlled accounts and identified persistence mechanisms.”

CISA recommends investigating for signs of a compromise from at least Sept. 1, 2020, through the present. The vulnerabilities were first identified in January. Krebs on Security reports:

Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.

It seems like it will take time for CISA and other government entities to assess the scope of the threat and what back doors might have been installed on government and private sector systems. “We’re concerned that there are a large number of victims,” White House Press Secretary Jen Psaki said during a press briefing on March 5, The New York Times reports. The attack “could have far-reaching impacts,” she added.

The FBI said in a statement it is “working closely with our interagency and private sector partners to understand the scope of the threat. Network owners should immediately patch their systems.” The FBI told organizations that have been compromised to contact their local FBI field offices.

PeopleImages/Getty Images