Skip to content

Exchange Server attacks aren’t over … until all the checks are done

The fallout continues from the recent ‘Hafnium’ Exchange Server attacks. There are warnings from Microsoft for administrators who might think they are safe from infection of their systems.

According to Microsoft 94% of Exchange Server systems are now protected from attacks caused by a bug in the Microsoft software.  That’s great but you have to wonder what the ^%$# is happening on the other 6%.  Are their administrators asleep?  Vacationing on the far side of the moon?

Microsoft has released a ‘one click tool’ to patch Exchange Server systems and check for known infiltrations by hackers exploiting the security bug.  It’s only an interim fix before properly patching Exchange Server 2019, 2016 or 2013.

The problems of ‘Hafnium’ attacks don’t end with patching Exchange Server.  There’s also the risk that the system has already been infiltrated before the bug was fixed. Hackers may have already got into networks and dropped code they can use to re-enter the network at a later time.

Microsoft calls this part “Mitigating post-exploitation activities” their typical PR speak.  The ‘exploitation’ isn’t over until the network is full protected and checked for hacker nasties.

According to Microsoft there are three main attacks possible after hackers have gained a foothold on a network through Exchange Server bugs.

Web Shells – criminals drop small files of code on a networks web servers.  They return later to run that code and gain access to the network.

Ransomware – hackers use access to Exchange Server to spread ransomware software and hold files and documents hostage until the bribe is paid.

Credential theft – stealing login details for later misuse.

About this author

Office-Watch.com

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.