As if last year’s SolarWinds hack, which also affected Microsoft, wasn’t bad enough, this year seems to be starting out terribly for the infosec industry. Microsoft Exchange Servers worldwide have been compromised and have leaked emails to what may be more than just state-sponsored hackers. Unfortunately, that may have been prevented or at least mitigated if Microsoft hadn’t waited two months to plug up the security holes it already knew about.
Security researchers are always trying to find exploits in computer and software systems and, fortunately, the really good ones immediately report their findings to developers and owners. That doesn’t mean that the latter would take immediate action, especially on large, complex software like Windows or Microsoft Exchange. Some might even delay taking action for later dates, for one reason or another, and that may have cost Microsoft more than its reputation.
According to Krebs on Security’s most recent report, the vulnerabilities that exposed Microsoft Exchange Servers around the world were reported as early as January 5 this year and confirmed by independent security researchers. While Microsoft did acknowledge the reports, it would take a month later for it to say that the matter has been escalated. It would then announce it would patch the flaws on its next “Patch Tuesday”, which would have been on March 9.
Microsoft may have been alerted to the severity of the bugs and decided to release the patches to four zero-day flaws on March 2 instead. By then, however, it was already too late as there were already 30,000 organizations in the US compromised by backdoors installed through those vulnerabilities. Matters got so bad that even the White House made official statements regarding the importance of applying those fixes as well as the severity of the hacking spree.
Curiously, Microsoft’s patches have also been made available to Exchange Server 2010, suggesting the bugs may have been around for more than a decade. Unfortunately, the number of compromised systems is only increasing and Hafnium, a state-sponsored hacking group in China, might no longer be the only one taking advantage of holes that could have been plugged up sooner.