Microsoft was warned about Exchange Server flaws two months ago

The European Banking Authority is the latest major public body to be compromised by the mass hack

Email symbols with padlock against dark background

Microsoft was aware of the Exchange Server vulnerabilities two months prior to the attack orchestrated by state-backed hackers, having confirmed that it was initially notified in “early January”.

The tech giant made the statement to cyber security journalist Brian Krebs, who has compiled a basic timeline of the hack on his blog

Krebs’ research shows that, on 5 January, Microsoft was first notified of two of the four zero-day vulnerabilities by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.

Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.

In a blog post, Dubex detailed how hackers took advantage of the 'unifying messaging' module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users’ mailboxes, in order to install web shell backdoors.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,” Dubex revealed.

Related Resource

The total economic impact of IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify - whitepaper from IBMDownload now

However, Dubex’s CTO Jacob Herbst told KrebsOnSecurity that the company “never got a ‘real’ confirmation [from Microsoft] of the zero-day before the patch was released”.

The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.

Krebs questioned Microsoft’s response timing, saying that the timeline illustrates that the company "had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately”.

IT Pro has contacted Microsoft for comment but is yet to hear back from the company.

The number of victims is estimated to be in the hundreds of thousands, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.

In a statement, the EBA said that it “is working to identify what, if any, data was accessed”, adding that it had “decided to take its email systems offline” as a “precautionary measure”. 

Chinese state-sponsored hacking group Hafnium is believed to be behind the attack.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Microsoft shares more details about Android apps in Windows 11
Microsoft Windows

Microsoft shares more details about Android apps in Windows 11

20 Oct 2021
WANdisco makes LiveData platform for Azure generally available
Microsoft Azure

WANdisco makes LiveData platform for Azure generally available

18 Oct 2021
Microsoft to shutdown LinkedIn in China
Careers & training

Microsoft to shutdown LinkedIn in China

15 Oct 2021
The future of productivity
Whitepaper

The future of productivity

13 Oct 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021