Many businesses still haven't patched their Microsoft Exchange servers

(Image credit: / Gorodenkoff)

Although organizations have known for weeks now about the ProxyLogon vulnerabilities in Microsoft Exchange, new research from CyberNews has revealed that there are still more than 60,000 servers that have yet to be patched.

At the beginning of March, the software giant detected that multiple zero-day exploits were being used to attack on-premises versions of servers running its software. While Microsoft attributed the campaign to a threat actor group known as Hafnium with ties to China, these vulnerabilities are now being exploited by other threat actor groups.

Despite the fact that Microsoft has released a comprehensive security update, a one-click interim Exchange On-Premises Mitigation Tool and even step-by-step guidance address these attacks, CyberNews' investigation shows that thousands of servers remain vulnerable.

The news outlet looked at the main vulnerability, tracked as CVE-2021-26855, and gathered data on the number of potentially vulnerable unpatched servers to discover that approximately 62,174 servers have not yet been updated.

Vulnerable servers

Of the vulnerable servers found by CyberNews, 13,877 are located in the US and over 9,000 are in Germany. In France, the UK, Italy and Russia, there are 3,387, 3,128, 2,577 and 2,517 vulnerable servers respectively. This is still an improvement over the number of vulnerable systems (120,000) when the ProxyLogon vulnerabilities were first discovered.

Now though, these vulnerable servers are being attacked in the wild by cybercriminals who are trying to infect them with the BlackKingdom ransomware. In a new blog post, director of engineering at Sophos, Mark Loman provided further insight on the BlackKingdom ransomware, saying:

“The Black KingDom ransomware is far from the most sophisticated payload we’ve seen. In fact, our early analysis reveals that it is somewhat rudimentary and amateurish in its composition, but it can still cause a great deal of damage. It may be related to a ransomware of the same name that appeared last year on machines that, at the time, were running a vulnerable version of the Pulse Secure VPN concentrator software.”

If you're organization has a Microsoft Exchange server, it is highly recommended that you follow Microsoft's guidance and install the latest patches and bug fixes immediately now that cybercriminals are actively targeting vulnerable servers. 

Via CyberNews

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.