Cybercriminals scanned for vulnerable Microsoft Exchange servers within five minutes of news going public
According to a review of threat data from enterprise companies that was compiled between January and March this year and included in Palo Alto Networks’ 2021 Cortex Xpanse Attack Surface Threat Report, which was published today, threat actors began searching the web for vulnerable Microsoft Exchange Servers within five minutes of Microsoft’s security advisory going public. When critical vulnerabilities in popular software are announced to the public, a race often occurs between threat actors and IT admins, with one group looking for suitable targets and the other performing risk assessments and implementing patches. The attackers gain the upper hand when a proof-of-concept is available or when a bug is relatively easy to exploit.
The announcement of zero-day vulnerabilities can attract attackers’ scans within 15 minutes of public disclosure, says the report. Palo Alto states that attackers were able to work faster on the Microsoft Exchange flaws than IT admin, with the first scans detected in no more than five minutes. The incident occurred on March 2 when Microsoft went public with the existence of four zero-day vulnerabilities in its Exchange Server. The flaws were targeted by the Chinese APT group Hafnium and other APTs such as Tick, Winnti Group, and LuckyMouse.