Thousands of UK firms may have been hacked using recently disclosed Microsoft Exchange security flaws, with many more still vulnerable, warns NCSC
Thousands of UK email servers are likely to still be vulnerable to unpatched security flaws affecting Microsoft Exchange, authorities have said.
The National Cyber Security Centre (NCSC) estimated some 7,000 email servers in the country were affected by the Exchange bugs, with only half having applied patches.
The agency said it had contacted some 2,300 UK businesses to warn them that their systems had been hacked as part of a free-for-all making use of the vulnerabilities.
The NCSC said it had discovered evidence that web shells, which can be used to access systems and steal information, were discovered on the businesses’ networks.
The presence of a web shell does not guarantee that a data breach has taken place, and once discovered the shells can be removed.
The NCSC issued new guidance on Friday telling businesses it is “vital” that they update Exchange and search for evience of compromise.
The agency’s statement is the first evidence of the scale of the Exchange issue in the UK.
It said ransomware gangs have begun using the flaws to carry out attacks, but that as yet there is no evidence of widespread ransomware attacks using the issues in the UK.
The NCSC said it is particularly concerned about the security of small and medium-sized businesses that may not have heard about the urgent patches Microsoft issued earlier this month.
“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” said NCSC director for operations Paul Chichester.
“While this work is ongoing, the most important action is to install the latest Microsoft updates.”
Chichester said organsations should search for indicators of compromise on their own networks and familiarise themselves with the guidance around ransomware attacks.
Microsoft said the Exchange flaws were initially exploited for several months by a Chinese state-backed hacking group.
But once the bugs were discovered and made public, a number of other state-backed groups, as well as criminal gangs, rushed to identify vulnerable servers.
Security researchers have estimated as many as 250,000 servers around the world could be vulnerable.
In Europe, the Norwegian parliament and the European Banking Authority both said they had been breached, although the EBA said there was no evidence that information had been stolen.