Federal Agencies Release Advisory to Microsoft Exchange Server Hack

March 11, 2021 Updated: March 11, 2021

The nation’s top cybersecurity agencies, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), released a joint Cybersecurity Advisory on Wednesday regarding the hack of the Microsoft Exchange Server, calling on potential victims and users to install patches and verify any unauthorized executions of some functions.

“Continual use of unpatched exchange servers or delayed implementation of Microsoft-released updates poses a serious risk to affected systems,” the advisory warned. It recommended installing all the security patches that Microsoft released on March 2.

On March 3, Microsoft announced that they had observed “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.”

A “zero-day exploit” means a hacker exploits a software or hardware flaw before the developer is aware of the flaw.

Microsoft said that the operation was carried out by a Chinese “state-sponsored” group nicknamed “Hafnium,” running outside of China.

The joint advisory said of the attack, “Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.”

“It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. Sectors,” the advisory added.

A security expert involved in Microsoft’s investigation told technology magazine WIRED that more than 30,000 Microsoft Exchange servers in the United States and hundreds of thousands worldwide have been hacked, “apparently by the same group.”

On March 7, the EBA, an EU financial regulator, announced that its email systems were compromised by the cyberattack.

“As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker,” the EBA said in a statement.

On March 8, the organization released another statement saying that its investigation was ongoing.

The EBA wasn’t the only known victim. The city government of Lake Worth Beach in Florida said that its email server was down for about three days since March 3 as a result of the cyberattack, according to the local daily Palm Beach Post.

The advisory also provided thorough technical detail to users to analyze logs of several services for self-checking.

The Australian Cyber Security Center also reported that a large number of Australian organizations affected by the hacks remain vulnerable as they are yet to update their systems.

Frank Fang contributed to this report.