X

Microsoft Exchange attackers strike more than 30,000 US organizations

A vulnerability Microsoft has already fixed in an urgent security update this week is wreaking havoc on businesses, and has caught the attention of the White House.

Ian Sherr Contributor and Former Editor at Large / News
Ian Sherr (he/him/his) grew up in the San Francisco Bay Area, so he's always had a connection to the tech world. As an editor at large at CNET, he wrote about Apple, Microsoft, VR, video games and internet troubles. Aside from writing, he tinkers with tech at home, is a longtime fencer -- the kind with swords -- and began woodworking during the pandemic.
See full bio
Ian Sherr
2 min read
apple-iphone-key-0400

Cities, local governments and businesses are being hit because they haven't updated their Microsoft Exchange software.

 Graphic by Pixabay; illustration by CNET

On March 2, Microsoft released an emergency security update for its Microsoft Exchange email and communications software, patching a security hole in versions of the software going back to 2013. But as customers slowly update their systems, there are signs that at least 30,000 organizations across the US have already been hit by hackers who stole email communications from their systems.

The attacks, which were reported by security expert Brian Krebs on Friday, have hit infectious-disease researchers, law firms, defense contractors, higher education institutions and nongovernmental organizations. Krebs said the researchers who identified the flaw had seen attackers exploiting the vulnerability two months ago.

Microsoft said it's working with the US government to provide guidance for its customers.

"The best protection is to apply updates as soon as possible across all impacted systems," Microsoft said in a statement to Krebs. "We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources." Microsoft didn't immediately respond to a request for comment.

Some of the most high-profile attacks over the years have been a result of hackers targeting organizations slow to update their software. Hackers stole personal information on more than 147.7 million Americans from Equifax by exploiting a vulnerability that would've been patched had the credit monitoring company updated its software. Hackers have also used patched software vulnerabilities to attack systems of state and local governments, who are often slow to update their systems.

That's likely why the White House took the dramatic step of raising the alarm. On Thursday, National Security Advisor Jake Sullivan urged companies to update their software, and White House Press Secretary Jen Psaki discussed the hack during her daily press briefing on Friday.

"This is a significant vulnerability that could have far-reaching impacts," Psaki said. "First and foremost, this is an active threat."