NCSC issues Exchange hack warning as Microsoft probes security partner leak

An estimated 7,000 UK servers have been affected by the vulnerabilities and only half have been secured

The National Cyber Security Centre (NCSC) has urged businesses to patch against recently disclosed vulnerabilities in Exchange as Microsoft investigates whether hackers exploiting the flaws had obtained information from its security partners.

Businesses should install the latest Microsoft Exchange updates “as a matter of urgency”, as well as search their systems for evidence of compromise, according to the latest advice from the NCSC. The government agency asked any affected UK organisations to disclose “any suspected compromises” via the NCSC cyber security incident reporting website.

The agency has confirmed that an estimated 7,000 UK servers had been affected by the vulnerabilities, of which around half have already been secured.

NCSC director for Operations Paul Chichester said that “organisations should also be alive to the threat of ransomware and familiarise themselves with [the NCSC’s] guidance”. 

Chichester said that the agency is “working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks”.

“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates,” he added.

The guidance came as Microsoft launched an investigation into whether an unnamed Microsoft security partner, which had access to sensitive information on the vulnerabilities behind the attacks, had leaked the intelligence to hacking groups – and whether it had done so by accident or on purpose.

Insider sources told the Wall Street Journal that the tech giant was in the process of reviewing the Microsoft Active Protections Program (Mapp), an information-sharing programme launched in 2008 with the aim of providing security companies a head start in detecting cyber security threats. 

A number of Mapp partners had knowledge of the vulnerabilities since 23 February, a week prior to the release of patches and the launch of the attacks, according to the sources. Out of the estimated 80 organisations involved in the programme globally, about 10 are based in China – where the state-sponsored Hafnium group is said to be operating from.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

Hafnium has been accused of orchestrating the attacks immediately after they were first reported, with Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, saying that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

However, since then it has been revealed that at least 10 other hacking groups were also involved in exploiting the Exchange Server vulnerabilities.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
PayPal looks to block hate group funding
Security

PayPal looks to block hate group funding

26 Jul 2021
What is two-factor authentication?
two-factor authentication (2FA)

What is two-factor authentication?

23 Jul 2021
Mitre reveals the most dangerous software vulnerabilities
Software

Mitre reveals the most dangerous software vulnerabilities

23 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021