In Austria, too, around 7,500 Microsoft Exchange servers are unprotected in the network – and have therefore probably already been attacked.
It reads like a thriller, but the effects could prove to be fatal: Around 7,500 Microsoft Exchange servers in Austria could have been compromised and consequently susceptible to ransomware attacks or data theft. This is what the Austrian National Computer Emergency Response Team (CERT.at) assumes, as a blog entry shows.
“It can be assumed that all Microsoft Exchange servers that are accessible from outside could already be affected,” says Otmar Lendl, head of the CERT.at team, in an interview with futurezone. The reason: Microsoft made a patch available relatively quickly, i.e. a way to fill the gap, but at this point in time the attacks were already in full swing – and still are. So the situation is serious, quite serious. Exchange is widespread in Austria, from small and medium-sized enterprises (SMEs) to public authorities and large companies.
What happened?
But first things first: On March 2nd, the first companies reported that they had exploited a zero-day security hole in open Microsoft Exchange servers. “Zero Day” means that the vulnerability is exploited on the same day that it is discovered.
During the night Microsoft released the emergency patch that companies could use to close the gap. But for many companies it was too late by then and their systems had already been compromised. Because the vulnerability has already been actively exploited.
All unprotected Microsoft Exchange servers are affected
Who and what was the goal?
At first it was suspected that it was mainly about targeted attacks on a few companies in the USA. Security researcher Brian Krebs reported that “at least 30,000 organizations” in the US were affected. But in the meantime it has turned out that the dimensions were far larger from the start.
The attacker's goal is not only to gain control of the victims' emails, but also to access the company's network infrastructure via the authorizations and to settle in there. “In the beginning, the attackers placed webshells. These are small web applications, but they are enough for attackers to be able to set foot in the door of a system and gain full access, ”explains Lendl in an interview with futurezone.
“But it is also possible to use this attack to bring out heavier artillery pieces and to paralyze systems immediately with ransomware attacks, for example, or to steal data,” says Lendl. “That worries me a lot at the moment, because the thousands of systems in Austria are vulnerable in this regard,” says the IT expert. “And that would really hurt quickly.”
The IT departments of companies that operate open Exchange servers have a lot to do.
What should companies do now?
Lendl recommends to those companies that have not yet fixed the security gap to do so “with high urgency”. “It's urgent,” says the expert. If this is not possible with a system, it must be disconnected from the network immediately, according to the CERT.at expert. In order to apply the patches from Microsoft, the script needs full system rights, ergo, the patch can only be applied by authorized IT administrators.
“Since the mass exploitation began extremely shortly after the patches were available, it cannot be assumed that quickly patching your own Exchange server prevented an infection,” says Lendl. In any case, it is possible to determine whether you have actually already caught malware and the system has been compromised. To determine this, you have to activate a Microsoft script that looks through the log files.
“There are also other scripts that you can use to check whether there are webshells on them,” says Lendl. “But I'm a bit skeptical here. If you can't find anything, that doesn't mean the system is secure. Just because the first attackers selected webshells as a method does not mean that other attackers will compromise the system in the same way, ”says the IT expert. If an attack is detectable, Lendl recommends contacting his “IT specialists” as soon as possible.
What does it mean when a system stays open?
An old analysis by CERT.at also shows that the situation is serious. A serious security flaw was discovered in 2019 that made Microsoft Exchange servers vulnerable. Around a third of the open servers in Austria are still vulnerable. This means: 33 percent of the systems have not yet been updated. “If you operate Microsoft Exchange Server seriously, you should secure the systems using VPN,” says Lendl. Everything else is negligent.
Which countries are affected?
But not only Austria is affected. In Germany, for example, the BSI boss Arne Schönbohm warned of what could happen if the systems were not secured soon. Therefore, the security warning level 4 (red) was issued. That is the highest warning level there is. According to Zeit.de, this has only been announced for the second time so far. Data and know-how could leak to attackers, and production plants could come to a standstill. Germany expects “thousands of open systems” and there are also “first indications that individual federal authorities are affected,” as Die Zeit reports.
It was also announced on Monday that the European Banking Authority (EBA) had already been compromised. Personal information from the emails was read, it is said. The incident is currently being investigated. In the meantime, the EBA's e-mail systems have been taken offline for security reasons.
According to Kaspersky, apart from the USA, organizations in Europe in particular were hit hardest from the start. Kaspersky analyzed “related attacks” at the beginning of March and found that Austria was one of the most affected countries alongside Germany, Italy and Switzerland. The “related attacks” affected Germany to 26.93 percent, Italy to 9 percent, Austria to 5.72 percent, Switzerland to 4.81 percent and the USA to 4.73 percent, the report says.
What else will happen?
The zero-day vulnerability continues to be massively exploited and many security researchers regard both the systems that have not yet been protected and those that have already been infiltrated as “ticking time bombs”.
