Hackers are targeting Microsoft email servers after a series of vulnerabilities were detailed at a computer security conference earlier this month.
Although software updates for these vulnerabilities have been available for months, more than 50% of Microsoft Exchange servers in the UK have not been updated, according to security researchers.
Among the servers still vulnerable to attack are several on the British government’s gov.uk domain as well as the police.uk domain used by forces in England, Wales and Northern Ireland.
Kevin Beaumont, a security researcher who formerly worked for Microsoft, criticised the company for what he termed “knowingly awful” messaging to get customers to update their software.
The vulnerabilities are “as serious as they come”, wrote Mr Beaumont, as they allow hackers to remotely execute code on an email server without needing to enter a password.
Several security researchers and organisations have reported detecting cyber criminals hacking into servers by exploiting this vulnerability and then deploying ransomware.
Although the flawed code was fixed in April and May, Microsoft did not assign the problems a CVE identifier (Common Vulnerabilities and Exposures) until July, delaying the methods many organisations use to track and update vulnerabilities.
“Given many organisations vulnerability manage via CVE, it created a situation where Microsoft’s customers were misinformed about the severity of one of the most critical enterprise security bugs of the year,” Mr Beaumont wrote.
A spokesperson for Microsoft said: “Customers who have applied the latest updates are already protected against these vulnerabilities.”
They said they had nothing to share in response to Mr Beaumont’s criticism about whether it had effectively communicated the importance of installing these updates.
At the time that Microsoft issued a patch for the vulnerabilities there were no publicly available proof of concept exploits, which typically informs how severe a risk any given vulnerability is considered to pose. It’s the difference between knowing Superman has a weakness, and actually possessing some Kryptonite.
The CVE identifier was assigned before the issue was technically detailed at the Black Hat computer security conference by a hacker who uses the handle Orange Tsai.
It was based on these technical details that other hackers have been able to develop exploits allowing them to recreate Orange Tsai’s methods for accessing Exchange servers.
Orange Tsai said they had discovered more vulnerabilities affecting Microsoft Exchange which were “coming soon” but did not respond to a Twitter message from Sky News for comment.
Mr Beaumont showed Sky News how he had identified thousands of unpatched Exchange Servers in the UK running the Outlook Web App, including several on the gov.uk domain and two on the police.uk domain.
The UK’s National Cyber Security Centre told Sky News: “We are aware of ongoing global activity targeting previously disclosed vulnerabilities in Microsoft Exchange servers.
“At this stage we have not seen evidence of UK organisations being compromised but we continue to monitor for impact.”
“The NCSC urges all organisations to install the latest security updates to protect themselves and to report any suspected compromises via our website,” it added.
A spokesperson for security business Mandiant told Sky News they had observed “a range of industries” being hacked.
“It is difficult to attribute this activity to any one group of threat actors because multiple examples of proof of concept exploit code have been developed and released publicly by security researchers,” the spokesperson said.
“This means that any group could be leveraging the exploit and organisations who have not patched are vulnerable to attack,” they warned, adding that patch rates “remain low” and urging companies to apply patches as quickly as possible.
The new wave of attacks targeting Microsoft Exchange servers follows Microsoft issuing a warning earlier this year about a global hacking campaign also targeting those servers which it attributed to state-sponsored hackers based in China.
An estimated 400,000 servers worldwide were “indiscriminately” compromised during the espionage campaign.
The British government slammed the “reckless” techniques used by China as the method its cyber spies were using to retain access to victim servers also left those servers open to criminals.
While cyber espionage actors generally seek to observe without disrupting their target networks, criminals will regularly disrupt the networks by deploying ransomware – making critical files irretrievable unless the victims pay an extortion fee.
Last month, the UK and allies accused China of “systematic cyber sabotage” in connection with that campaign.
At the same time, the contractors used by Beijing’s cyber intelligence apparatus were accused of conducting “unsanctioned cyber operations worldwide… for their own personal profit” but it is not clear whether these unsanctioned operations were based on exploiting the access established by the sanctioned espionage campaign.