The rapidly evolving cyberattack against Microsoft Exchange server is entering a new phase as opportunistic criminals are rushing in to steal what remaining emails, certificates and other sensitive financial data or intellectual property they could find on vulnerable servers.

Microsoft, government cyber agencies and cybersecurity researchers warned thousands of Exchange Server users to scan their systems for malicious webshells and download security updates as soon as possible. 

Researchers fear, more than two months after the threat was discovered, criminal hackers had more than enough time to loot proprietary data or plant thousands of undetected seeds of compromise on small- and medium-sized firms that use aging, on-premises servers from Microsoft. 

"So if somebody stood outside your house, and they yelled 'Alexa order a sofa!' and Alexa did. And a burglar hid inside that sofa sized box, and brought it in your house. That's what they did," said Joel Fulton, CEO of Lucidum and former chief information security officer at Splunk.

There are more than 125,000 unpatched Microsoft Exchange servers worldwide, according to data released Tuesday from Unit 42 at Palo Alto Networks. The U.S. leads all nations with 33,000 confirmed unpatched servers, followed by Germany with 21,000 and the U.K. with 7,900, according to a spokesperson for Palo Alto.

Servers patched last week may still be compromised, because the vulnerabilities have been exploited since early January, according to the spokesperson. 

Volexity researchers found new evidence of the Exchange vulnerability that proceeds its original start date of Jan. 6. 

"Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF (server side request forgery) vulnerability started occurring on January 3, 2021, three days earlier than initially posted," the company said in the post. 

Following the initial intrusion, Microsoft Exchange users are facing attacks from new threat actors beyond the initial Hafnium group, a Chinese-backed nation state actor that Microsoft says was behind the initial Exchange Server attack, according to an updated blogpost from Microsoft. 

"Recently other adversary groups have started targeting these vulnerabilities, and we expect that these attacks will continue to increase as attackers investigate and automate exploitation of these vulnerabilities," Microsoft researchers said in the blogpost. "Not all these footholds are being utilized immediately and some were likely put in place for future exploitation."

Criminal intent

Security researchers warn that Exchange Server customers will face continual threats of phishing, ransomware and other attacks in the near term. Criminal actors have already begun using the months after the initial back doors were opened to search for valuable data, emails and possibly the most valuable asset: authentication certificates.

A threat actor could potentially assume the identity of the users, and move laterally across a system that will think they are the legitimate user. Similar tactics were used by the suspected SolarWinds threat actor to gain access to target's emails.

"Though broad exploitation of the Microsoft Exchange vulnerabilities has already begun, many targeted organizations may have more to lose as this capability spreads to the hands of criminal actors who are willing to extort organizations and disrupt systems," said John Hultquist, vice president of analysis, Mandiant Threat Intelligence.

"The cyber espionage operators who have access to this exploit for some time aren't likely to be interested in the vast majority of the small and medium organizations," said Hultquist. "Though they appear to be exploring organizations in masses, this effort could allow them to select targets of the greatest intelligence value." 

Microsoft issued a series of security updates late Monday, which will allow customers to protect older, more vulnerable machines. The vulnerabilities relate to Exchange Server 2013, 2016 and 2019 as well as defense-in-depth issues related to Exchange Server 2010, according to the updated post from Microsoft.

"In general the timeliness of installing updates (especially those that patch security vulnerabilities) is a key factor for maintaining security of any system," Jonathan Tanner, senior security researcher at Barracuda, said via email. "While, in this case, the patch came after the vulnerabilities being exploited in the wild, often exploitation of vulnerabilities in the wild occurs after the vulnerability has been announced and the patch released."

Patching as soon as possible can help prevent security issues for most vulnerabilities, where the attacker has to develop and deploy an exploit in response to a vulnerability disclosure. This is especially true in the case of cybercriminals, who lack the time and funding that nation-state actors have to find or purchase zero-day vulnerabilities, Tanner said.

Up to 30,000 enterprises, ranging from major companies to defense contractors, think tanks, law firms, local government agencies and storefront shops, have been impacted by the hack. Marc Rogers, vice president of cybersecurity at Okta, said he fears many of these smaller Exchange Server customers will remain vulnerable for years to come, mainly because their vulnerabilities will fall below the radar of security and IT experts. 

"There's going to be these little mom and pop-type enterprises that have an Exchange server that no one finds for a significant amount of time, and probably don't even notice because their emails keep working," Rogers said. "And you know, they're not dealing with anything massively confidential so no one does anything particularly malicious with them."

The fear is while they may not have much use as a vehicle for stealing sensitive financial data or email, they could over time be weaponized in a similar fashion to the Mirai botnet, he said.