Microsoft has warned that 32,000 firms have not patched against the Exchange Servers zero-day vulnerabilities exploited by Chinese-state linked cyberspies and a growing list of cybercrime gangs. However, the 92% that have patched or mitigated against the security weaknesses could still be breached.

On 2 March Microsoft published security fixes to four vulnerabilities, collectively known as ProxyLogon, that gave threat actors a way onto the tech giant’s mail server and calendar product.

Around 400,000 Exchange Servers were vulnerable to cyberattackers stealing sensitive data or installing malicious software such as ransomware. That number has been rapidly declining in recent weeks, falling to 100,000 on 9 March as organisations installed the crucial updates.

The tech giant’s security response team said on Monday that it marked a 43% improvement on the previous week.

However, it means that as of Monday there were still 32,000 on-prem Exchange Servers unpatched and vulnerable to attack.

Crucially, patching does not prevent the exploitation of servers that have already been compromised. Microsoft has urged organisations running on-prem Exchange Servers to scan their networks for malicious activity in addition to patching.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Security researchers warned that cybercrime groups are scanning internet-facing Exchange servers, compromising those that are unpatched now and deciding later which servers warrant post-compromise activity.

It means that while 92% of Exchange Servers are patched, an unknown number of these could fall victim to cyberattacks in the coming months.

According to Slovak internet security firm ESET more than 10 advanced persistent threat groups (APTs) have taken advantage of the Exchange exploits.

These cybercriminal groups include LuckyMouse, Calypso and the Winnti Group.

This week Marcus Hutchins, the security researcher who found the kill switch for the 2017 WannaCry ransomware attack, said he had uncovered a second ransomware operation exploiting vulnerable Exchange Servers called Black Kingdom.

Fortunately the malicious script, described by Hutchins as “by far the worst I’ve ever seen”, does not appear to encrypt files and has switched from “actual ransomware to scareware”.

The associated bitcoin account had only received one payment in three days, Hutchins added.

However, Microsoft threat intelligence analyst Kevin Beaumont said on Tuesday that Black Kingdom “does indeed encrypt files”.

It is unclear why there appears to be two versions of the ransomware.

The first reported ransomware exploiting Exchange Servers was DearCry.

Microsoft also announced this week that it had rolled out automatic mitigation for on-premises Exchange Servers via Microsoft Defender. Microsoft has published a script that can be used to scan for signs of such intrusions.

Last week hacking gang REvil compromised Acer with ransomware, demanding a $50m payment to decrypt the computer giant’s files. The compromised documents include financial spreadsheets, bank balances and banking communications.

The cybercriminals may have used Microsoft Exchange Server vulnerabilities to carry out the attack, but this has not been confirmed.


Read more: White House pledges to name nation behind Chinese nation-state cyberattack