A former Microsoft security official has warned that cybercriminals are taking advantage of vulnerabilities in Microsoft Exchange e-mail servers because organizations have not been properly warned about which systems to repair.
Many organizations do not seem to have been corrected, which led to a massive exploitation of vulnerabilities, warned Kevin Beaumont, who published in blog in the DoublePulsar.
Hundreds of U.S. government systems are on display, he added, while the Department of Homeland Security and Infrastructure (CISA) issued warning the Saturday.
Among the hackers who exploit the loopholes is a group of ransomware known as Lockfile, which had taken advantage of problems that were first fixed by Microsoft in March. LockFile has been linked to ransomware attacks in various industries, including financial services, tourism, worldwide, mainly in the US and Asia, according to security company Symantec. According to doublePulsar, it first appeared on the network of a US financial institution on July 20.
The origins of the attacks can be traced to the weaknesses revealed during a hacking contest this year and were fully analyzed last week by Orange Tsai. It found three vulnerabilities in Microsoft Exchange (for the internal version, not Office 365) that, when combined, could be used to remotely control an email server.
Beaumont has now released a tool to help detect non-custom systems. It has already been used by the Austrian National Computer Emergency Response Team to scan vulnerable servers.
CISA said: "It strongly urges organizations to identify vulnerable systems in their networks and implement them immediately. the Microsoft Security Update from May 2021, which fixes all three vulnerabilities of ProxyShell, for their security from these attacks ".