Microsoft was warned about Exchange Server flaws two months ago


Sabina Weston

9 Mar, 2021

Microsoft was aware of the Exchange Server vulnerabilities two months prior to the attack orchestrated by state-backed hackers, having confirmed that it was initially notified in “early January”.

The tech giant made the statement to cyber security journalist Brian Krebs, who has compiled a basic timeline of the hack on his blog

Krebs’ research shows that, on 5 January, Microsoft was first notified of two of the four zero-day vulnerabilities by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.

Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.

In a blog post, Dubex detailed how hackers took advantage of the ‘unifying messaging’ module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users’ mailboxes, in order to install web shell backdoors.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,” Dubex revealed.

However, Dubex’s CTO Jacob Herbst told KrebsOnSecurity that the company “never got a ‘real’ confirmation [from Microsoft] of the zero-day before the patch was released”.

The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.

Krebs questioned Microsoft’s response timing, saying that the timeline illustrates that the company “had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately”.

IT Pro has contacted Microsoft for comment but is yet to hear back from the company.

The number of victims is estimated to be in the hundreds of thousands, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.

In a statement, the EBA said that it “is working to identify what, if any, data was accessed”, adding that it had “decided to take its email systems offline” as a “precautionary measure”. 

Chinese state-sponsored hacking group Hafnium is believed to be behind the attack.