Alleged Chinese attack on Microsoft Exchange remains an 'active threat,' says US government

Microsoft logo
Microsoft logo (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • The recent hack of Microsoft's Exchange email server software remains an "active threat."
  • Microsoft rolled out patches to vulnerabilities, but organizations that were already compromised are still at risk.
  • At least 20,000 organizations have been compromised by the hacks, according to recent reports.

Last week, news emerged that Microsoft's Exchange email server software was hacked. Microsoft blamed a state-sponsored group out of China, but Beijing has denied any involvement. The company released several security updates to address vulnerabilities, but the hacks remain an "active threat," according to the U.S. government.

Reuters reports that while Microsoft released a patch that addresses the vulnerability, that any server already compromised by the attack can still be accessed through a "back-door."

The National Security Council sent a Tweet over the weekend regarding the attack that states:

Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.

A White House official told Reuters that "This is an active threat still developing and we urge network operators to take it very seriously." According to a source that spoke with Reuters, more than 20,000 organizations had been compromised by the hack as of March 7, 2021.

Top U.S. security officials are working to decide the next steps, according to a White House official that spoke with Reuters.

Organizations that have already been compromised could include credit unions, local government offices, and small businesses. Reuters states that the situation has "left U.S. officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency."

A Microsoft representative told Reuters that the company is working with the U.S. government and others to help customers. The company also urged impacted clients to apply the software updates that it has rolled out as soon as possible.

A source told Reuters that only a small percentage of networks have been compromised through the back-door vulnerability, but that more attacks are expected.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

3 Comments
  • For anyone who's potentially affected, here's a link to a PS script put together by the Exchange team that automates checking for all 4 vulnerabilities. Run it from within the Exchange Management Shell: https://github.com/microsoft/CSS-Exchange/tree/main/Security
  • HI
    Reading article this prompts me to relay an unrelated concern about Microsoft which irritates me profoundly. .. I use a Surface Pro 7 and use the Edge browser in its original and Dev forms. If I use either browser to access some other source, before looking at Windrows Central, the latter can't be displayed in Edge until I have rebooted. This is pathetic and very prolonged Roger
  • Never seen or heard of anything like that. Does it happen if you try to access Windows Central via InPrivate in Edge? Maybe you have an extension or some other code running that has an obscure incompatibility with Windows Central that stays in memory after closing the browser. But if you use a new profile or InPrivate, it should be isolated. If that does work, then it must be an extension or other browser-specific issue. Try to figure out which one by creating a new Profile and slowly adding your extensions back one by one until the problem recurs. If it doesn't work even in an InPrivate session once the problem has occurred in your main Edge profile, then it must be some other code that's running, in which case, try to disabling things in your systray or via the Task Manager until you find the culprit. In either case, if you are able to find the problem, be sure to let Windows Central and, if possible, the developer of the other piece of code, know what's causing the problem so they can try to fix.