NCSC issues Exchange hack warning as Microsoft probes security partner leak

The National Cyber Security Centre (NCSC) has urged businesses to patch against recently disclosed vulnerabilities in Exchange as Microsoft investigates whether hackers exploiting the flaws had obtained information from its security partners.

Businesses should install the latest Microsoft Exchange updates “as a matter of urgency”, as well as search their systems for evidence of compromise, according to the latest advice from the NCSC. The government agency asked any affected UK organisations to disclose “any suspected compromises” via the NCSC cyber security incident reporting website.

The agency has confirmed that an estimated 7,000 UK servers had been affected by the vulnerabilities, of which around half have already been secured.

NCSC director for Operations Paul Chichester said that “organisations should also be alive to the threat of ransomware and familiarise themselves with [the NCSC’s] guidance”.

Chichester said that the agency is “working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks”.

“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates,” he added.

The guidance came as Microsoft launched an investigation into whether an unnamed Microsoft security partner, which had access to sensitive information on the vulnerabilities behind the attacks, had leaked the intelligence to hacking groups – and whether it had done so by accident or on purpose.

Insider sources told the Wall Street Journal that the tech giant was in the process of reviewing the Microsoft Active Protections Program (Mapp), an information-sharing programme launched in 2008 with the aim of providing security companies a head start in detecting cyber security threats.

A number of Mapp partners had knowledge of the vulnerabilities since 23 February, a week prior to the release of patches and the launch of the attacks, according to the sources. Out of the estimated 80 organisations involved in the programme globally, about 10 are based in China – where the state-sponsored Hafnium group is said to be operating from.

Hafnium has been accused of orchestrating the attacks immediately after they were first reported, with Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, saying that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

However, since then it has been revealed that at least 10 other hacking groups were also involved in exploiting the Exchange Server vulnerabilities.