Hackers seize severe Microsoft Exchange vulnerabilities in echo of widespread March attacks

The fallout could be worse than the Hafnium attacks in March.
The Microsoft store is seen on April 30, 2020 in New York City. (Photo by Eduardo MunozAlvarez/VIEWpress via Getty Images)

A fresh wave of attacks against Microsoft Exchange has government cybersecurity officials on guard for a possible repeat of the chaos hackers rendered earlier this year by exploiting different vulnerabilities in the popular workplace mail server.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an urgent warning Saturday that cybercriminals are actively exploiting months-old vulnerabilities in Microsoft’s ProxyShell.

CISA recommended that customers update their systems using software patches that Microsoft released in May to address the vulnerabilities. National Security Agency Cybersecurity Director Rob Joyce also urged companies to patch against the vulnerabilities.

Huntress Lab, which first reported the surge in attacks, reported 300 total compromised servers as of Monday. Targeted organizations identified by Huntress include seafood processors, industrial machinery, auto repair shops, dental and law offices and more.


“We’re starting to call this another Microsoft Exchange incident no one is talking about,” said John Hammond, senior security researcher at Huntress.

Bad actors have already used the web shells to deploy crypto-mining malicious software and ransomware, Huntress and several other firms have confirmed.

Microsoft Exchange servers are an extremely valuable target for both nation-state and criminal hackers looking to conduct espionage and distribute malware. Tens of thousands of private companies, governments and nonprofits around the world use the technology.

This isn’t the first time this year hackers have exploited a Microsoft Exchange vulnerability to do serious damage. Microsoft warned in March that a group of Chinese hackers dubbed Hafnium had exploited a different vulnerability to attacks thousands of servers belonging to clients in both the private and public sector in the United States and abroad. A second wave of attackers targeted unpatched servers to deploy malware including ransomware.

The United States and several allies officially blamed hackers affiliated with the Chinese government for the attack in July.


While the attack bears similarities to the Hafnium campaign discovered in March, there are also key differences. Patches for the vulnerabilities already exist, which could help stem the number of victims. Where Hafnium launched a coordinated, widespread attack, the actors behind the ProxyShell attacks are dispersed.

Another key difference is that hackers don’t need to access credentials to use all the ProxyShell vulnerabilities, making them even easier to weaponize.

“Anyone with technical chops and a little bit of know-how could recreate and craft this attack chain,” Hammond said.

Cybersearcher researcher Orange Tsai, who reported the vulnerabilities to Microsoft, warned of their dangers at a Black Hat conference presentation earlier this month.

“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organizations largely haven’t patched,” former Microsoft researcher Kevin Beaumont wrote in a blog post.


Beaumont accused Microsoft of downplaying the severity of the vulnerabilities in light of the negative attention to the attacks earlier this year.

Microsoft did not immediately respond to a request for comment.

Hammond said that “this isn’t the sky is falling incident like March was yet,” but that it’s urgent that companies patch and look for indicators of compromise to prevent it from getting there. Huntress has already identified malicious actors storing web shells in uncommon places, potentially making it harder for victims to remediate the damage.

“I think if that number were to grow from 300 servers to 1,000 or more that certainly starts to look bleak,” Hammond said.

Updated 8/21: to include additional information from Huntress Labs.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts