As firms race to patch Microsoft Exchange flaws, security pros brace for ransomware outbreak

Ransomware attacks are coming, so security pros are taking matters into their own hands.
(Photo by Justin Sullivan/Getty Images)

Nobody likes to hurry up and wait.

It’s exactly how security professionals are urging vulnerable organizations to protect themselves, though, against a cavalcade of nation-state and criminal hacking groups reportedly working to exploit Microsoft Exchange Server flaws that were announced earlier this month.

Suspected Chinese government-linked hackers were the first to allegedly exploit the Microsoft vulnerabilities. As soon as the company released a fix for the bugs, though, taking the issue public, a range of other hacking groups also appeared to try leveraging the flaws. At least ten different advanced threat groups are working to exploit the vulnerabilities now, according to ESET research, while other hackers have stolen email data and others have tried to generate financial revenue.

With potentially tens of thousands of victims, the U.S. government — including the National Security Agency, the Department of Homeland Security’s cybersecurity agency, the FBI and the White House — has spent days warning organizations to patch the flaws, and hunt for any indication they have been compromised.


But with such a large list of victims — 30,000 organizations in the U.S. alone, according to some estimates — and so many attackers trying to leverage the flaws, there is little hope for cybersecurity professionals and affected entities to keep up with the sheer volume of exploits and attackers pummeling them, analysts say. In addition to patching the holes in Microsoft technology, organizations should also be working to evict hackers from their networks, and remain on alert for data theft, credential theft and other potentially damaging follow-up attacks.

Security analysts also are warning that the flaws could open the pathway for ransomware attacks, meaning that if organizations fail to act now, it could cost them later.

“Everyone is waiting on the other shoe to drop, which will be ransomware,” said Dmitri Alperovitch, the former chief technology officer of CrowdStrike and executive chairman of Silverado Policy Accelerator. “You effectively have the equivalent of a massive botnet … of Exchange servers that are running with administrative privileges on the network. Once you have access to it you can easily get to the rest of the network. Are we going to have massive exploitations or ransomware campaigns, or are we going to get the majority of companies to patch?”

To answer that question, some cybersecurity professionals are taking matters into their own hands.

Over the last several days, Allison Nixon, the chief research officer at cybersecurity consulting firm Unit 221B, rounded up her team to develop a website that would help alert organizations if they’ve been comprised.


”One common problem people have in the security research field is that they get this list of victims … as a human being you feel this need to let people know, ‘Some bad thing is happening to you, or there’s something you need to do to avoid a really really bad thing happening to you,’” Nixon said.

The Unit 221B website is designed so users can search to see if they are using compromised Exchange servers with Outlook Web Access (OWA) enabled. Users can go to the site, which launched Tuesday, directly from their Exchange server, which will allow Unit 221B to check their IP address against their victim list. Victims will then be alerted if they are compromised and if the attackers loaded webshells, a malicious tool used to establish a foothold inside targets, Nixon says.

“The stress here is that we have all these victims that we know are going to become ransomware victims” but that may not know it yet, especially if they’re inadequately resourced to respond, Nixon explained. “But if we can warn them and they can back up their data and protect themselves and patch then there will be fewer ransomware victims.”

Creating a data backup is one of the most crucial steps that organizations can take right now to protect themselves, Nixon said. Organizations that don’t make a backup of their servers but that do get hit with a ransomware attack, in which hackers lock up their machines and extort them for money, run the risk of losing their businesses entirely, Nixon warned.

“It doesn’t matter if they don’t have a regular backup program, or they don’t have a fancy IT team — they just need to take a copy of their servers … put it on a hard drive, put it it in a safe: A one-time thing this week,” Nixon said.


Unit 221B’s notification site coincides with a host of private sector efforts to help organizations face hackers head-on. Microsoft took the unusual step of issuing security fixes for older and unsupported versions of Exchange Server to try to put a dent in hackers’ operations. Security firm Volexity has provided mitigations to help users secure Microsoft Exchange instances. FireEye has developed threat hunting campaigns to help users identify Exchange Server abuse.

A White House official previously told CyberScoop the National Security Council is considering its options for responses.

Even with these steps, organizations should probably assume compromise at this point, Alperovitch says. The situation is so bad that Alperovitch told CyberScoop he thinks organizations that are affected, especially if they are smaller- or medium-sized businesses, would do well to switch to the cloud.

“If they had a vulnerable [on-premises] Exchange Server as early as last week, they should assume that it’s been hit. You can pretty much take it to the bank,” Alperovitch said. “Given the number of adversaries that have been scanning the internet and compromising all of these servers with webshells, you’d be hard pressed to find [one that’s] not compromised.”

One other precaution organizations should be taking — even before confirming they are compromised — is to use out of band communications, such as Signal or Gmail, to ensure attackers can’t track their targets’ responses, says Alperovitch. 


“This is just a general practice that every major [incident response] firm will do,” Alperovitch said. “When they go to organizations to investigate breaches, they assume the [communications] channels are compromised and being watched by adversaries. We’ve seen it happen many, many times over the years.”

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts