- Security researchers and federal officials are working with Microsoft to regain control over the rapidly evolving Exchange Server crisis that exposed thousands of companies, think tanks and other organizations to opportunistic cyberattackers.
- Microsoft released additional security updates this week designed as short-term fixes for vulnerable servers that could not be completely secured by mitigations released last week.
- The number of vulnerable servers running older, unpatched versions of Microsoft Exchange dropped by about 30% to 80,000 worldwide, according to Palo Alto Networks. The U.S. still leads all nations with about 20,000 vulnerable servers, followed by Germany with 11,000 and the U.K. with 4,000.
The FBI and Cybersecurity and Infrastructure Security Agency issued a joint advisory on Wednesday warning organizations that nation-state actors and cybercriminal gangs were attempting to take advantage of the Microsoft Exchange vulnerabilities in order to gain persistent system access.
After initial vulnerabilities were discovered dating back to early January, security researchers working with Microsoft identified multiple vulnerabilities in Microsoft Exchange Server that allowed threat actors to deploy webshells into on-premise servers.
Threat actors have been observed exfiltrating emails, stealing copies of Active Directory databases, deleting or adding user accounts and engaging in other activity by moving laterally within systems.
A range of industries have been targeted by the attacks, including defense contractors, biotech firms, think tanks, small city and county governments, power companies and law firms, according to the FBI and CISA.
FireEye warned the security industry that threat actors were using a technique called credential dumping to enable lateral movement and escalation of privileges inside a compromised network. State-sponsored and financially motivated groups have begun to take advantage of backdoor opportunities presented by the initial round of attacks and the entry of webshells into vulnerable servers, according to a blogpost released Thursday.