This attack is unusual because it’s one of the rare situations where bad actors had performed mass exploitation on near-zero day threat vectors, particularly those that allowed for RCEs. Many organizations were -- and are -- still vulnerable to exploitation.
BitSight’s latest global analysis shows that despite repeated warnings from Microsoft and government agencies, many organizations still have not patched vulnerable Microsoft Exchange Servers and remain at risk of threat vector exploitation:
Despite recent warnings to patch threat vectors in their systems, BitSight observes a very high rate of confirmed vulnerable versions of Exchange currently running across the globe.
BitSight is tracking the total number of companies running confirmed vulnerable versions of Microsoft Exchange. Organizations rely on Exchange as a mail and calendar service that stores company emails in a centralized server, giving successful hackers access to contact information and sensitive business communication if a server is infiltrated. On March 10, we assess that nearly 1 in 3 companies with Exchange are currently running vulnerable versions. These organizations should initiate a threat vector incident response process under the assumption that their server was compromised.
BitSight is tracking the prevalence of organizations running vulnerable versions of Microsoft Exchange Server by sector. We find that more than 5% of global government entities are currently running vulnerable versions of Exchange.
BitSight is also tracking sector-specific performance, comparing the prevalence of vulnerable versions of Microsoft Exchange Server with patched or non-vulnerable versions in key sectors.
Of particular concern is the prevalence of vulnerable versions of Microsoft Exchange within the U.S. government. BitSight finds more than 340 U.S. government entities at the state, local, and Federal level -- including multiple U.S. Federal agencies -- are currently running versions of Microsoft Exchange with threat vector vulnerabilities.
Organizations are seeking to determine if they or their vendors may be utilizing vulnerable versions of Microsoft Exchange Server in order to understand their cybersecurity threat vector exposure. BitSight is currently showing data of potentially vulnerable exchange servers in the vulnerability catalog. Customers can search for any of the Exchange CVEs in the attack chain, by searching for any of the CVEs:
BitSight will continue to update this research with additional telemetry. Please reach out to BitSight if you have specific questions about the impact of this incident to your vendor threat vector ecosystem.
Based on analysis and public reporting, BitSight estimates that the majority of vulnerable Exchange servers on the Internet were likely compromised, making it imperative for organizations with public Exchange servers to instigate an incident response process under the assumption that theirs was compromised.
Identifying the current Exchange Server version can be difficult because Microsoft does not always update the version string on the patch -- making it look like organizations are still running a “vulnerable” version when they have actually updated their systems. With this in mind it’s best to err on the side of caution and install any available updates immediately.
Organizations running any version of Microsoft Exchange Server should immediately install any available patches to Exchange Server software.
It’s also important to note that the presence of this vulnerability within your third-party vendor ecosystem can be a dangerous threat vector as well. Bad actors in the Exchange breach can not only access your conversations with an infiltrated third party, but can penetrate your network through your vendor’s access. Continuously monitoring your supply chain can help identify threat vectors and facilitate remediation before they can become a danger to your organization.
In early September, a threat actor leaked nearly 500,000 Fortinet VPN login names and passwords that were allegedly scraped from vulnerable devices last summer. The leaked credentials could allow hackers to access an exposed network to...
It happened again - another disruptive ransomware attack. On July 2, 2021 Kaseya, a Florida-based software provider that provides Remote Management Monitoring, warned of its software being abused to deploy ransomware on end-customers'...
In the six months since the SolarWinds supply chain attack there has been increased action in the cybersecurity breach world – and the bad actors aren’t letting up. This means that cybersecurity protection is more critical than ever.