Microsoft email servers are being targeted by hackers after a series of vulnerabilities were detailed at a computer security conference in August. While software patches for the vulnerabilities have been available for months, experts say that over 50 per cent of Microsoft Exchange servers in the UK have not yet been updated.
Among the servers still vulnerable to attack are several on the British government's GOV.UK domain as well as the police.uk domain used by forces in England, Wales and Northern Ireland.
Kevin Beaumont, a security researcher who formerly worked for Microsoft, criticised the company for what he termed ‘knowingly awful’ messaging to get customers to update their software, according to The Express.
He said that the vulnerabilities are ‘as serious as they come’, as they allow hackers to remotely execute code on an email server without needing to enter a password.
Numerous cybersecurity experts and organisations have reported detecting cyber criminals gaining access to servers by exploiting the vulnerabilities and then deploying ransomware, holding a company’s information hostage until a ransom is paid.
The vulnerability was discovered and the flawed code was fixed back in April and May. However, Microsoft did not assign a CVE identifier (Common Vulnerabilities and Exposures) until July, which led to delays in the methods used by organisations to track and update vulnerabilities.
Beaumont said: “Given many organisations vulnerability manage via CVE, it created a situation where Microsoft's customers were misinformed about the severity of one of the most critical enterprise security bugs of the year.”
A spokesperson for Microsoft said that the company had released security updates to keep customers safe and protect against potential attacks, and recommended that customers adopt a strategy to ensure that security updates are installed as soon as possible after each monthly security release.
They said they had nothing to share in response to Beaumont's criticism about whether it had effectively communicated the importance of installing these updates.
When Microsoft issued a patch for the vulnerabilities, there was no publicly available proof of concept exploits, which typically informs how severe a risk any given vulnerability is considered to pose.
The CVE identifier was assigned before the issue was technically detailed at the Black Hat computer security conference by a hacker who uses the handle Orange Tsai.
Using these technical details. Other hackers have been able to develop exploits that allow them to recreate Orange Tsai’s methods for hacking Exchange servers.
Orange Tsai said they had discovered more vulnerabilities affecting Microsoft Exchange which were ‘coming soon’.
Beaumont says he has identified thousands of unpatched Exchange servers in the UK running the Outlook Web App, which includes several servers on the GOV.UK domain, and two on the police.uk domain.
The UK's National Cyber Security Centre (NCSC) said: “We are aware of ongoing global activity targeting previously disclosed vulnerabilities in Microsoft Exchange servers.
“At this stage, we have not seen evidence of UK organisations being compromised but we continue to monitor for impact.”
The NCSC added that it urges all organisations to install the latest security updates to ensure they are protected, and to report any suspected compromises via the NCSC website.
If you’re looking for penetration testing experts, talk to us today.