Microsoft Exchange Server users are being targeted by hackers in a series of ransomware attacks affecting thousands of organisations worldwide.
According to Reuters, more than 20,000 organisations have been compromised in the US with many more across the globe.
The victims include the European Banking Authority which has announced that personal data may have been accessed from its servers. It had to pull its entire email system offline while it assessed the damage.
In early March Microsoft reported a new family of human-operated ransomware attacks labelled Ransom: Win32/DoejoCrypt – also known as “DearCry”– which prevent users from being able to use their PCs or access their data until a payment is sent to hackers.
The hacking campaign has been blamed on a Chinese government-backed hacking group, Hafnium. Microsoft said the group was using four new hacking techniques to infiltrate Exchange email systems.
But internet security company ESET has also identified many other threat groups and behaviour clusters benefitting from the same flaws in Microsoft Exchange. ESET believes more than 500 email servers in the UK may have been hacked, and many companies are unaware they are victims.
Companies using Exchange are advised to install the latest updates immediately. The updates can be found on the Microsoft website. If updates cannot be installed, the recommended Microsoft ‘mitigations’ should be implemented. These mitigations are temporary measures and only recommended where updating is not immediately possible.
If organisations cannot install the updates, or apply any of the mitigations, the UK National Cyber Security Centre (NCSC) recommends isolating the Exchange Server from the internet by blocking untrusted connections to the Exchange Server port 443. If secure remote access solutions are already in place (such as a VPN or VDI), configure Exchange only to be available remotely via this solution.
The NCSC also strongly advises all organisations using affected versions of Microsoft Exchange Servers to proactively search systems for evidence of any compromise in line with Microsoft’s guidance.
Gary Jowett, from Computer & Network Consultants (CNC) in Brighton, said: “CNC has already contacted all of its customers affected and applied the necessary patches. But there will be many businesses unaware of the threat because they do not have an independent IT company looking after their best interests. All organisations that use Microsoft Exchange should follow the NCSC’s guidance as a matter of urgency to avoid storing up hidden problems that could result in the loss of valuable data in the future.”