BitSight’s latest global analysis shows that thousands of organizations have been successfully exploited as a result of Microsoft Exchange Server vulnerabilities. Encouragingly, the number of vulnerable systems continues to drop at a healthy rate since our original observations from last week, suggesting that organizations are steadily patching systems. However, thousands of vulnerable systems remain unpatched around the globe, placing those organizations at risk of a damaging ransomware attack or additional exploitation. In addition, there remain thousands of servers that remain exploited with backdoor attacks despite being patched.
These findings are based on BitSight’s continuous data collection. As part of our telemetry, BitSight continuously interacts with all Internet-accessible systems to understand what services they have accessible on their network and understand their current configurations. We are able to detect Microsoft Exchange Servers through this activity, and when we do, we can assess those systems for certain vulnerabilities and insecure configurations. The data BitSight observes is made possible through using information and tools made available by Microsoft and other members of the security community.
The rate of observable patched Exchange Servers is improving. Nearly 65,000 out of 316,000 (20%) observed Exchange Servers remain vulnerable as of March 15. This is down from 99,000 (30%) observed vulnerable servers on March 9.
There remain a significant number of currently exploited Exchange Servers. More than 14,000 (4%) observed Exchange Servers are currently exploited. This is down from more than 31,000 (9%) on March 11. Because BitSight only observes a subset of all possible backdoors, this number is a lower bound for the total number of systems that have been compromised.
More than 5,500 observed patched systems still have a backdoor attack vulnerability, implying that those administrators have yet to perform incident response of their systems.
The Government (4.5%) and Utilities (4%) sectors still have the highest rate of vulnerable Exchange Servers, though this has improved since March 10. Other sectors show slight improvements in patching vulnerable systems.
Based on analysis and public reporting, BitSight estimates that the majority of vulnerable Exchange Servers on the Internet were likely compromised, making it imperative for organizations with public Exchange Servers to initiate an incident response process under the assumption that theirs was compromised.
Organizations running any affected version of Microsoft Exchange Server should immediately install any available patches to Exchange Server software.
It’s also important to note that the presence of this vulnerability within your third-party vendor ecosystem can pose a threat as well. Bad actors in the Exchange breach can not only access your conversations with an infiltrated third party, but can penetrate your network through your vendor’s access. Continuously monitoring your supply chain can help identify vulnerabilities and facilitate remediation before they can become a danger to your organization.
Organizations are seeking to determine if they or their vendors may be utilizing vulnerable versions of Microsoft Exchange Server in order to understand their cybersecurity threat exposure. BitSight is currently showing data of vulnerable and exploited Exchange servers in the vulnerability catalog. Customers can search for any of the Exchange CVEs in the attack chain, by searching for any of the CVEs:
BitSight will continue to update this research and our product with additional telemetry. Please reach out to BitSight if you have specific questions about the impact of this incident to your organization or your vendor ecosystem.
The global response to the latest Exchange vulnerabilities raises critical questions about the efficacy of government and industry efforts:
BitSight believes that continuous, ongoing measurement of security performance can provide global market participants with critical information and data that they can use to improve the security posture of their own organizations, supply chains, business partners, insureds, and investments. The latest incidents have highlighted fundamental weaknesses in our society’s approach to addressing and remediating cyber risk, but we strongly believe that data and measurement can help turn government and commercial organizations alike from reactive participants to proactive managers of risk.
In early September, a threat actor leaked nearly 500,000 Fortinet VPN login names and passwords that were allegedly scraped from vulnerable devices last summer. The leaked credentials could allow hackers to access an exposed network to...
It happened again - another disruptive ransomware attack. On July 2, 2021 Kaseya, a Florida-based software provider that provides Remote Management Monitoring, warned of its software being abused to deploy ransomware on end-customers'...
In the six months since the SolarWinds supply chain attack there has been increased action in the cybersecurity breach world – and the bad actors aren’t letting up. This means that cybersecurity protection is more critical than ever.