{"id":41868,"date":"2021-03-09T14:58:26","date_gmt":"2021-03-09T14:58:26","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=ce86dfc4ba2874c025fa3f6b52d66b9d"},"modified":"2021-03-09T14:58:26","modified_gmt":"2021-03-09T14:58:26","slug":"microsoft-was-warned-about-exchange-server-flaws-two-months-ago","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/microsoft-was-warned-about-exchange-server-flaws-two-months-ago\/","title":{"rendered":"Microsoft was warned about Exchange Server flaws two months ago"},"content":{"rendered":"


\n Sabina Weston<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
9 Mar, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Microsoft<\/a>\u00a0was aware of the Exchange Server vulnerabilities two months prior to the\u00a0attack orchestrated by state-backed hackers<\/a>, having confirmed that it was initially notified in \u201cearly January\u201d.<\/p>\n

The tech giant made the statement to\u00a0cyber security<\/a>\u00a0journalist Brian Krebs, who has compiled a basic timeline of the hack on his\u00a0blog<\/a>.\u00a0<\/p>\n

<\/p>\n

\nKrebs\u2019 research shows that, on 5 January, Microsoft was first notified of two of the four\u00a0zero-day vulnerabilities<\/a>\u00a0by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.<\/p>\n

Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.<\/p>\n

In a\u00a0blog post<\/a>, Dubex detailed how hackers took advantage of the\u00a0‘unifying messaging’ module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users\u2019 mailboxes, in order to install\u00a0web shell<\/a>\u00a0backdoors.<\/p>\n

\u201cA unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,\u201d Dubex revealed.<\/p>\n

However, Dubex\u2019s CTO Jacob Herbst told KrebsOnSecurity that the company \u201cnever got a \u2018real\u2019 confirmation [from Microsoft] of the zero-day before the patch was released\u201d.<\/p>\n

The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.<\/p>\n

Krebs questioned Microsoft\u2019s response timing, saying that the timeline illustrates that the company “had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately\u201d.<\/p>\n

IT Pro<\/em>\u00a0has contacted Microsoft for comment but is yet to hear back from the company.<\/p>\n

The number of victims is estimated to be in the\u00a0hundreds of thousands<\/a>, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.<\/p>\n

In a\u00a0statement<\/a>, the EBA said that it \u201cis working to identify what, if any, data was accessed\u201d, adding that it had \u201cdecided to take its email systems offline\u201d as a \u201cprecautionary measure\u201d.\u00a0<\/p>\n

Chinese\u00a0state-sponsored hacking group<\/a>\u00a0Hafnium is believed to be behind the attack. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Sabina Weston<\/p>\n

9 Mar, 2021 <\/p>\n

Microsoft\u00a0was aware of the Exchange Server vulnerabilities two months prior to the\u00a0attack orchestrated by state-backed hackers, having confirmed that it was initially notified in \u201cearly January\u201d…<\/p>\n","protected":false},"author":627,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41868","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/627"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41868"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41868\/revisions"}],"predecessor-version":[{"id":41869,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41868\/revisions\/41869"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}