Organisations are advised to proactively search systems for evidence of compromise in case they have already been affected
The National Cyber Security Centre (NCSC), a branch of GCHQ, has stressed businesses and organisations need to patch their vulnerable Microsoft Exchange servers following a state-sponsored espionage campaign
An estimated 7,000 to 8,000 servers were affected by the flaw, and only half had been patched according to the agency.
NCSC have been in contact with 2,300 businesses to warn them of the Exchange security risk.
The NCSC’s director for operations, Paul Chichester, insisted it is “vital that all organisations take immediate steps to protect their networks”.
He added: “Whilst this work is ongoing, the most important action is to install the latest Microsoft updates.
“Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC.”
Microsoft shared on March 2nd that flaws in their Exchange email servers were exploited by hackers. They attributed the attack to hacking group Hafnium, a group the company “assessed to be state sponsored and operating out of China”.
The “state-sponsored” actor was identified by the Microsoft Threat Intelligence Centre based on observed “tactics and procedures,” according to the company.
The attack was initially used to gain remote access to email servers, from where sensitive data could be stolen.
After Microsoft called attention to the fault, multiple hacking groups rushed to find unpatched email servers to attack.
China’s Ministry of Foreign Affairs rubbished the accusation, and insisted the country “firmly opposes and fights all forms of cyber-attacks and thefts in accordance with the law.”
The attack primarily affected US state and local governments, policy think tanks, academic institutions, infectious disease researchers and businesses such as law firms and defence contractors, according to Microsoft.
Cybersecurity firm FireEye also shared last week that it had identified multiple specific victims “including US-based retailers, local governments, a university and an engineering firm.”
One victim, a person working at a Washington think tank who was contacted by the FBI, told CNN attackers had used the unauthorised access to email that person’s contacts in a way that looked legitimate.