Connect with us


Everything you need to know about the Microsoft Exchange Server hack

Updated: Vulnerabilities are being exploited by Hafnium. Other cyberattackers are following suit.



Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.

While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide — so far — there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses.

Also: Best VPNsBest security keysBest antivirus

Here is everything you need to know about the security issues and our guide will be updated as the story develops.

What happened?

Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in “early” January.

A DEVCORE researcher, credited with finding two of the security issues, appears to have reported them around January 5. Going under the handle “Orange Tsai,” the researcher tweeted:

“Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported.”

According to Volexity, attacks using the four zero-days may have started as early as January 6, 2021. Dubex reported suspicious activity on Microsoft Exchange servers in the same month.

On March 2, Microsoft released patches to tackle the four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.”

On March 12, Microsoft focused its investigation on whether the hackers obtained the credentials needed to gain access to the Exchange Server by a Microsoft partner, either intentionally or unintentionally. It is suspected that the hackers possessed Proof-of-Concept (PoC) attack code that Microsoft shared with antivirus companies as part of the company’s Microsoft Active Protections Program (Mapp).

Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide.

While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches — and the number of estimated victims continues to grow.

Microsoft is now also reportedly investigating potential links between PoC attack code issued privately to cybersecurity partners and vendors prior to patch release and exploit tools spotted in the wild, as well as the prospect of an accidental — or deliberate — leak that prompted a spike in attacks.

What are the vulnerabilities and why are they important?

The critical vulnerabilities, known together as ProxyLogon, impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.

Microsoft is now also updating Exchange Server 2010 “for defense-in-depth purposes.”

  • CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
  • CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.

If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.

In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.

“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

On March 10, PoC code was released before being taken down by GitHub. On the weekend of March 14/15, a new PoC was released by another researcher that is described as a method bringing Exchange server exploits down to “script-kiddie” level.

Who is responsible for known attacks?

Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium.

Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.”

While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers.

Is it just Hafnium?

When zero-day vulnerabilities come to light and emergency security fixes are issued, if popular software is involved, the ramifications can be massive. Problems can often be traced back to awareness of new patches, slow uptake, or reasons why IT staff cannot apply a fix — whether this is because they are unaware that an organization is using software, third-party libraries, or components at risk, or potentially due to compatibility problems.

Mandiant says further attacks against US targets include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft.

Sources have told cybersecurity expert Brian Krebs that approximately 30,000 organizations in the US have been hacked so far. Bloomberg estimates put this figure closer to 60,000, as of March 8. Palo Alto Networks suggests there are at least 125,000 unpatched servers worldwide.

In an update on March 5, Microsoft said the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”

On March 11, Check Point Research said that attack attempts leveraging the vulnerabilities are doubling every few hours. On March 15, CPR said attack attempts have increased 10 times based on data collected between March 11 and March 15. The US, Germany, and the UK are now the most targeted countries. Government and military targets account for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors.

As of March 12, Microsoft and RiskIQ say at least 82,000 servers remain unpatched.

The European Banking Authority is one of the latest victims. The EBA says there is “no indication to think that the breach has gone beyond our email servers.” An assessment is underway.

The US Cybersecurity and Infrastructure Security Agency (CISA) says that the agency is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”

The Biden Administration is forming a task force to explore the reported links between Microsoft Exchange attacks and China, according to CNN, with private sector players now invited to take part.

On March 10, ESET said that 10 APT groups have been connected to attacks exploiting the Exchange Server vulnerabilities. These state-sponsored groups include LuckyMouse, Tick, Winnti Group, and Calypso.

In a situation reminiscent of the 2017 WannaCry ransomware outbreak, on March 12, Microsoft said that a variant of ransomware known as DearCry is leveraging the bugs to deploy ransomware on vulnerable Exchange servers.

Read on: Exchange Server security patch warning: Apply now before more hackers exploit the vulnerabilities

How can I check my servers and their vulnerability status? What do I do now?

Microsoft has urged IT administrators and customers to apply the security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised.

Interim mitigation option guides are also available if patching immediately is not possible.

The Redmond giant has also published a script on GitHub available to IT administrators to run that includes indicators of compromise (IOCs) linked to the four vulnerabilities. IoCs are listed separately here.

On March 8, Microsoft released an additional set of security updates that can be applied to older, unsupported Cumulative Updates (CUs) as a temporary measure.

On March 15, Microsoft released a one-click tool to make it easier for businesses to mitigate the risk to their internet-facing servers. The Microsoft Exchange On-Premises Mitigation Tool, available on GitHub, is currently “the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” according to the firm.

CISA issued an emergency directive on March 3 that demanded federal agencies immediately analyze any servers running Microsoft Exchange and to apply the firm’s supplied fixes. UK companies, too, have now been urged by the NCSC to patch immediately.

If there are any indicators of suspicious behavior dating back as far as September 1, 2020, CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. The FBI has also released a statement on the situation.

AccountGuard, expanded

On March 9, Microsoft opened up access to additional identity and access management protections, at no extra cost, to AccountGuard members in 31 democracies.

AccountGuard is a program designed to protect the accounts of Microsoft users at a higher risk of compromise or attack due to their involvement in politics. The program is also available to journalists and those on the frontline fighting COVID-19.

Microsoft continues to investigate and as more information comes to light we will update.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0




Colonial Pipeline cyberattack shuts down pipeline that supplies 45% of East Coast’s fuel

The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure.



Colonial Pipeline, which accounts for 45% of the East Coast’s fuel, said it has shut down its operations due to a cyberattack.

The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure. The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil and fuel for the U.S. Military.

In a statement, Colonial Pipeline said:

On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.

Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.

Cybersecurity: Let’s get tactical | A Winning Strategy for Cybersecurity | Cyberwar and the Future of Cybersecurity

Here’s a look at the Colonial Pipeline system affected by the cyberattack.


Colonial Pipeline’s shutdown should it continue may lead to supply shortages since it covers so much territory in the US.



Continue Reading


FlexiSpot Bamboo EN1 review: Affordable electric standing desk with stand interval reminders

Working from home or working for long hours in an office can wear on you so changing up the scenery a bit with an electric standing desk is a good way to initiate movement. Over the past year of the pandemic, I’ve come to realize standing desks are perfect for me.




As I discussed in the video of my home office I spent many years working at my old Costco desk that has served just fine for a couple of hours of work here and there. However, with COVID-19 driving people home to work remotely, a standing desk has become my platform of choice and my Costco desk is now used for storing mobile gear I am reviewing.

A representative from FlexiSpot reached out to see if I was interested in testing an electric standing desk. I was sent a bamboo desktop with the EN1 standing desk frame to evaluate. You can purchase desk series that includes the frame, desktop, and keypad or you can purchase frames and desktops separately.

Also: Palmsolo’s Star Wars office: Product boxes, drawers of phones, and multiple screens

A few key features I look for in electric standing desks are programmable height settings for quick transition between sitting and standing, quiet motors, tall enough to satisfy my 6 foot, 1 inch, height, and a stable platform at the standing height. The FlexiSpot solution satisfied all of these features and even provided a convenient additional one I haven’t seen before.

Desk assembly

The desk arrived in two separate boxes a couple of days apart. The EN1 frame, including the legs, feet, and controller, was in one box and the desktop was contained in another box. The EN1 frame box was quite heavy as the legs and motor are pretty dense, helping to make the desk quite stable at the full height.

The legs and top were well protected in the boxes and were in perfect condition. The box with the legs includes the directions, bolts, screws, allen wrenches needed to install the bolts, measuring tape, and a basic wrench to tighten the drive shaft. You will need a Phillips screwdriver or even better, an electric drill to drive in the wood screws to secure the frame to the bottom of the desk.

Also: ZDNet Home Office tours

The directions were easy to follow, but properly tightening the crossbeam at the right length was a bit confusing. I read through all of the directions and then figured I would temporarily tighten the crossbeam at a certain length and then come back to adjust it after I placed it on the bottom of the desktop. The crossbeam length is dependent on the transmission rod placement and the desktop length. Step 5 of the directions states that the distance from the edge of the desktop to the frame should be less than 7.9 inches. I selected 7 inches as my length and made sure the frame was the same on both sides.

Interestingly, there are no holes in the desktop for placement and alignment of the frame so you will also need a measuring tape to center the frame on the bottom of the desktop and make sure you are within the guidance 7.9 inches at each end of the desktop. There were holes for aligning the standard digital keypad with wood screws also used to secure this to the desktop. I installed the desk in a room with carpet, but the feet also have levelers on the bottom in case you need to level the desk.

Cable ties with tape were also provided so you can secure the keypad, motor, and power cables under the desktop securely. The cables were easy to route and plug in for proper use with the desk.

Design and setup

There are many options when it comes to electric standing desks and the FlexiSpot one I tested is one of the most affordable. The bamboo desktop is priced at $180 for the 55-inch by 28-inch rectangle top I tested. You can also select a curved top, as well as size options of 48×24 ($150) and 60×30 ($290) inches.

The EN1 standing desk frame, with a digital display keypad, is priced at $229.99. The frame is available in black, gray, and white. The frame is designed for a capacity of 154 pounds. FlexiSpot has other frame options that have dual motors and higher weight capacity.

After connecting everything together, plug in the desk to activate it. There are three programmable memory settings, up/down arrows with a LED display showing the current height in green, a memory save button, and a reminder settings button. Height settings are available from 28 inches to 47.6 inches, not including the desktop thickness. My preferred sitting height is 30.5 inches and my preferred standing height is 45.1 inches. Switching between these two only takes several seconds and the movement is quiet too.

The reminder option is a handy feature where you can program a period of time between 0 and 99 minutes to have a buzzer sound for 10 seconds to remind you to stand. If you press any button within that 10 second period then the timer will start over. If you do not press any button in that 10 seconds, then another buzzer will activate after five minutes. If you again do not press a button then the reminder function will turn off. You can simply press the A button to reenable the timer.

FlexiSpot EN1 electric standing desk Daily experiences

The bamboo desktop looks and feels great with a solid surface. It’s a naturally sourced material made from 100% bamboo so you can trust you have an eco-friendly desktop surface.

The EN1 frame is very solid and heavy-duty. Even at the full height, the desk is stable when loaded with computers and other gear. The directions are comprehensive, except for the alignment of the crossbeam and fit to center the frame under the desktop.

The price is excellent for an electric standing desk with the quality of construction and all of the included features.

Even if there aren’t measurable health benefits of standing over sitting, simply changing my perspective throughout the day has made me more productive. In addition, I find when I transition from sitting to standing it prompts me to leave the office and walk around my house so more activity is being initiated through regular sessions of standing.

It’s great to shift to a standing position and look out my room window to see some of the world around me as I work. Spending several hours a day on Microsoft Teams meetings can be a defeating lifestyle, but standing desks switch up your perspective a bit and get you shifting your weight around as you make the transition up and down.

The desk arrived in two separate boxes a couple of days apart. The EN1 frame, including the legs, feet, and controller, was in one box and the desktop was contained in another box. The EN1 frame box was quite heavy as the legs and motor are pretty dense, helping to make the desk quite stable at the full height.



Continue Reading


Adobe Flash: Microsoft lays out plans to remove it from Windows 10 PCs for good

Microsoft’s July Patch Tuesday security update will include the Flash removal update for all versions of Windows 10.



Microsoft is preparing to issue two more Windows 10 updates in June and July that will eliminate unsupported Adobe Flash Player from Windows PCs for good.

The update KB4577586 called “Update for Removal of Adobe Flash Player” has been available as an optional update since October and now looks set for a broader deployment.

Flash Player officially reached end of life on December 31, 2020 as per an announcement by Adobe and major browser makers in 2017.

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

Via Windows Latest, Microsoft in late April updated an old blogpost detailing its Flash removal plans that it now says will culminate in the update rolling out in the upcoming Patch Tuesday security updates targeting older versions of Windows 10.

In June Microsoft plans to release KB4577586 as part of the preview Windows 10 updates ahead of the next month’s Patch Tuesday update. These updates are not optional, so it should roll out to all Windows 10 machines via Windows Update and WSUS.

“Starting in June 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Preview Update for Windows 10, version 1809 and above platforms. It will also be included in every subsequent Latest Cumulative Update,” Microsoft said.

“As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard,” it added.

SEE: Back to the office in 2021? Here are ten things that will have changed

Also, Windows 10 version 21H1 or the May 2021 Update is due out any day now, possibly with the May Patch Tuesday update. Of course, this version won’t be shipping with Flash Player. Microsoft notes that when users update to 21H1 or later, Flash will be removed.

KB4577586 remains an optional update to install for now. However, Microsoft will eventually mark it as a “recommended update”. Once installed, the Flash removing update cannot be uninstalled.



Continue Reading


Blockchain news9 hours ago

Kazakhstan Launches Public Consultation for Its Proposed CBDC

Kazakhstan is advancing its digital tenge project with a use case design and stakeholder consultation.

ZDNET12 hours ago

Colonial Pipeline cyberattack shuts down pipeline that supplies 45% of East Coast’s fuel

The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure.

Techcrunch20 hours ago

Daily Crunch: A huge fintech exit as the week ends – TechCrunch

Hello friends and welcome to Daily Crunch, bringing you the most important startup, tech and venture capital news in a...

Blockchain news23 hours ago

Nasdaq-Listed Metromile Backs Bitcoin for its Insurance Products

Auto insurance company Metromile is thinking of investing in Bitcoin.

CNBC1 day ago

The stock market may be misreading what this weak jobs report means for the Fed

The disappointing April jobs report reinforces the Fed's easy policies, but some strategists still expect the Fed to move toward...

Reuters1 day ago

U.S. ready to lift many sanctions but Iran wants more – top Iran nuclear delegate

The United States has expressed its readiness to lift many of its sanctions on Iran at the Vienna nuclear talks...

ZDNET2 days ago

FlexiSpot Bamboo EN1 review: Affordable electric standing desk with stand interval reminders

Working from home or working for long hours in an office can wear on you so changing up the scenery...

CNBC2 days ago

Peloton reports sales up 141% as cycle demand remains strong, says it’s working to quickly fix treadmills

Peloton said Thursday it expects its fiscal fourth-quarter sales to take a $165 million hit due to a treadmill recall.

Bioengineer2 days ago

The factors that improve job resiliency in North American cities have been identified

Credit: UC3M The researchers in this study reached this conclusion by drawing on network modelling research and mapped the job

Crunchbase2 days ago

Sweden’s Einride Raises $110M For Autonomous And Electric Freight

Electric and autonomous freight tech company Einride has raised $110 million in a Series B round, the company announced Thursday.


    Select language