A Vulnerable World: RiskIQ’s Unique View of the Microsoft Exchange Landscape

Frankly, it’s a tough time to be in cybersecurity. Perhaps the toughest ever. There have been over a dozen zero-days in the past three months alone, with countless organizations across the world affected.

We’re barely four months removed from SolarWinds—a watershed attack some thought would set the standard for the impact a vulnerability could have—and already dealing with a new attack that dwarfs it in scale. While it started with espionage actors Hafnium, ESET Research shows that at least 10 APT groups have exploited Microsoft Exchange vulnerabilities. Now more are jumping in, and some organizations are seeing ransomware actors leveraging the vulnerability as well.

With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem.

RiskIQ has continuously collected internet data for more than a decade to solve such a problem. We built our technology to help security teams handle global attacks, and we’re experts at discovering attack surfaces from organizational to global in scale. Now, we’re working overtime to put this vulnerability’s scope into context and help the world understand if they are exposed and enable them to respond rapidly.

The Scale of Microsoft Exchange Vulnerabilities

RiskIQ is working with Microsoft to help them better understand the scope of the issue and the progress made getting systems updated. On March 2, we informed them that 400,000 total on-premises Exchange servers were needing to be updated. This number dropped to more than 100,000 servers after Microsoft’s first set of updates.

On Thursday, March 11, RiskIQ has detected 82,731 total vulnerable instances of Microsoft Exchange servers worldwide, a decrease of 9,341 from Wednesday’s count of 92,072.

  • Of the remaining unpatched versions of Exchange, 2016 leads the way in total exposure.
  • For servers with a hotfix available, Exchange 2013 and 2016 continue to be the versions forgoing installations of Microsoft’s security updates.
  • The most recent version of Exchange 2013 has 6,000 observations of unpatched servers.
  • A rapid analysis of RiskIQ data shows at least 312 banks, 335 healthcare, 105 pharma, and 153 servers ending with .gov are among those affected.

Our platform enables us to see where Microsoft exchange servers are globally on a granular level, gleaning key geo-insights. Some of these include:

  • The United States has the most vulnerable Exchange Servers, accounting for 23% of the global total.
  • Germany, despite its size, accounts for 13% of the global total. Germany also leads the world in the total number of unpatched Exchange 2016 CU, with 18 servers.
  • Russia, with 3,205 vulnerable servers, has 1.5x the exposure of China.

You can see a visual breakdown of vulnerable servers by geographic location here:


A Slow Global Response

While the numbers are falling, they’re not falling fast enough. If you have an exchange server unpatched and exposed to the Internet, your organization is likely already breached.

One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet—this is a common issue we see with new customers. Another is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.

On March 3, 2021, The Department of Homeland Security CISA released Emergency Directive 21-02 concerning these vulnerabilities with specific instructions for government agencies. Microsoft has also made patches available to protect Exchange servers against the zero-day attacks (but not existing compromise). Do note wait; install the patches immediately to all on-prem Exchange servers.

RiskIQ’s Response

This is an incident on an almost unfathomable scale that requires a coordinated, all-hands-on-deck effort. Because of our unique vantage point of the Microsoft Exchange server landscape, we’re working with organizations of all sizes—CERT teams, ISACSs, governments, banks, ISPs, healthcare organizations, and pharma on mass notification and incident response program.

Via automation, we’ve worked with more than 83,000 owners of vulnerable exchange servers and will continue to do so daily until the situation is fully resolved. We’ll also be reporting on the daily number of vulnerable servers and identifying stats and trends.

RiskIQ Resources

RiskIQ has automated systems in place to notify the thousands of affected organizations, and we are working together with the cybersecurity community to provide resources and incident response.

Recently, we launched a Microsoft Exchange info portal on our website for more information on this attack and how you can determine if you’re affected and how to respond. RiskIQ customers should follow the guidance we’ve provided here.

Access for incident responders to investigate this attack’s IOCs is free in the Community Edition of our RiskIQ PassiveTotal, our threat hunting product.

activereach Ltd are pleased to partner with RiskIQ. The above article was published by Team RiskIQ on 12 March 2021. For further information and how to leverage RiskIQ’s technology to help detect this issue, contact the activereach team on 0845 625 9025 or request a demo here.