Written by Shannon Vavra
Microsoft issued a patch late Monday evening for older, unsupported versions of Microsoft Exchange servers in an attempt to lessen the blow of hackers exploiting recently uncovered software flaws.
Microsoft released a security update earlier this month to address the four zero-day flaws in Exchange Server email software, which suspected Chinese hackers are actively exploiting as part of an espionage operation aimed at stealing the contents of targets’ emails. But those updates only addressed Exchange Server versions 2013 to 2019.
“This is intended only as a temporary measure to help you protect vulnerable machines right now,” the Exchange Team at Microsoft warned in a blog post. The best course of action would be to update to the latest version and apply the patch, the company said.
System administrators should be advised that the updates for unsupported Exchange Servers only address the four zero-day flaws revealed early this month, Microsoft said.
The decision to expand the security updates to include even older versions is a signal of just how severe and widespread the attacks leveraging the vulnerabilities are. Microsoft has previously taken the unusual step of issuing updates for older products in cases of serious vulnerabilities, such as when Microsoft issued an update for a wormable flaw in 2019, or when the company issued protections for those using older versions of Windows during the widespread WannaCry attacks in 2017.
By some estimates tens of thousands of organizations just in the U.S. are vulnerable to the newly uncovered Microsoft Exchange Server vulnerabilities. U.S. defense contractors, non-governmental organizations and international aid organizations have reportedly been targeted already. But the problem is not exclusive to Americans — the governments of Norway and the Czech Republic have already announced they are addressing compromises stemming from the flaws in their countries, and information security experts have warned that organizations around the world should be on alert for targeting activity.
Although researchers have found thus far that hackers have been stealing email data from targets, attackers could use the flaws to encrypt data in ransomware attacks and conduct other destructive attacks, the Department of Homeland Security has warned. And in addition to the suspected Chinese hackers, other hacking groups that may be linked with nation-states or criminal gangs are likely jumping into the fray, security experts have warned.
While the U.S. federal government is already responding to the massive fallout from the likely Russian hacking operation that exploited a software update in SolarWinds software, the Biden administration has begun working to get its arms around the Exchange Server issues. DHS has held phone briefings in recent days to assess the damages to state and local organizations across the country, whereas the National Security Council (NSC) has urged system administrators to patch.
The NSC is weighing its options for responses, a White House official told CyberScoop.