- An attack by suspected nation-state actors on Microsoft Exchange Server is rapidly growing in scope as researchers and industry officials warn that thousands of systems across the country are at risk. Officials said a patch issued earlier in the week by Microsoft may not work on already compromised systems.
- More than 30,000 organizations across the U.S. have already been hit by the attack, according to a Friday report by KrebsonSecurity. The attack, which uses webshells to exploit vulnerabilities in Exchange Server, has primarily focused on stealing emails and other information from companies, local governments and other organizations.
- Microsoft over the weekend released a detection tool to scan for indicators of compromise associated with the vulnerabilities in Microsoft Exchange.
Researchers and government officials scrambled throughout the weekend to manage the rapidly growing scope of the attacks, as initial mitigation strategies from Microsoft fell short of containing the situation.
"Unfortunately there has been a lot of uncertainty and confusion in the patching process," John Hammond, senior security researcher at Huntress said via email. "This is becoming more and more of a widespread attack, with the scope ever-increasing as organizations struggle to patch."
During the daily briefing on Friday, White House press secretary Jen Psaki called the Microsoft Exchange situation a "significant vulnerability that could have far reaching impacts."
She acknowledged a late Thursday tweet from national security advisor Jake Sullivan, who said the breach was being closely tracked and reiterated the administration's concerns about the defense industrial base and the impact on U.S. think tanks.
"First and foremost this is an active threat," Psaki said. "And as the national security advisor tweeted last night, everyone running these servers — government, private sector, academia — needs to act now to patch them."
The White House is concerned about a wide number of victims being impacted by the breach and said they were working with their partners on the matter, Psaki said.
Sullivan on Thursday tweeted that officials were closely tracking Microsoft's emergency patch for previously unknown vulnerabilities in the Exchange server and were monitoring reports of potential compromises of U.S. think tanks and defense industrial base organizations.
The Cybersecurity & Infrastructure Security Agency updated an alert issued last week warning of vulnerabilities in Exchange Server that allow attackers to gain persistent system access as well as access to files, mailboxes and credentials.
The vulnerabilities on Microsoft Exchange Server are not providing any impact to Exchange Online or Microsoft 365 cloud email services, CISA said.
"If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures," according to the CISA alert. The update stated that organizations should apply available patches if they find no activity.