Hackers targeting vulnerable UK government and police servers, say security researchers

Since Microsoft Exchange email system flaws were discovered earlier this year, and detailed at a Black Hat security conference, over 50% of UK Microsoft Exchange servers have not been updated, with the gov.uk domain used by the UK government, and the police.uk domain, being among those at risk.

Many researchers and organisations have since reported the infiltration of vulnerable servers by cyber criminals, who have used security gaps to deploy ransomware.

According to Kevin Beaumont, a security researcher who used to work for Microsoft, the vulnerabilities are “as serious as they come”, with Beaumont criticising Microsoft for “knowingly awful” messaging towards customers, in the aim to get them to update their servers.

Although security flaws were fixed by Microsoft in April and May this year, it’s been revealed that the corporation failed to assign the problems a Common Vulnerabilities and Exposures (CVE) identifier, which delayed tracking and updating of vulnerabilities.

What is the Common Vulnerabilities and Exposures (CVE) system?

The CVE system is a list of publicly disclosed computer security flaws, all of which are given their own ID number. The list is maintained by the MITRE Corporation, and helps IT professionals to better organise appropriate solutions to mitigate possible attacks.

A Microsoft spokesperson has said: “Customers who have applied the latest updates are already protected against these vulnerabilities.”

Beaumont commented: “Given many organisations vulnerability manage via CVE, it created a situation where Microsoft’s customers were misinformed about the severity of one of the most critical enterprise security bugs of the year.”

In response to the discovery, the UK’s National Cyber Security Centre (NCSC) told Sky News: “We are aware of ongoing global activity targeting previously disclosed vulnerabilities in Microsoft Exchange servers.

“At this stage, we have not seen evidence of UK organisations being compromised, but we continue to monitor for impact.

“The NCSC urges all organisations to install the latest security updates to protect themselves and to report any suspected compromises via our website.”

Microsoft Exchange attacks highlight the wider issue: email is outdated

Following recent cyber attacks on the Microsoft Exchange, Amandine Le Pape, co-founder and chief operating officer of Element, discusses why email has become outdated. Read here

A lesson to be learned

Oz Alashe, CEO and founder of behavioural security platform CybSafe, believes that the lack of remediation action following exposure of these vulnerabilities, “needs to be a lesson in the importance of messaging and vigilant security behaviours”.

Alashe continued: “These gaps in our defences will always emerge, but what matters is the speed and clarity of the response. Any ambiguity can lead to vital software updates not being deployed, and leave organisations exposed to malicious actors and ransomware attacks.

“With gov.uk and the police.uk among the domains still without the necessary Microsoft email server update, the consequences of not addressing these vulnerabilities are clear. Keeping software updated is a simple yet highly effective way we can reduce our cyber risk, and organisations need to ensure they convey its importance with speed and clarity.”

Information Age analysis

With police and governmental bodies looking to digitally transform their infrastructure to keep up with service demand and respond quicker, it’s vital that security measures are updated alongside such initiatives. As the amount of sensitive data at these organisations’ disposal continues to grow, so does the size of the attack landscape, meaning the need for continuous monitoring and updates.

Email security has proves to be a key challenge in multiple sectors during the pandemic, with many employees operating, and continuing to operate from home, often on personal devices in the case of public sector employees. This rise in shadow IT needs to be taken into account by security leaders and staff, and measures need to be taken accordingly. Employees must do their bit too, by constantly being wary of possibly dangerous links from unfamiliar email addresses, as well as phishing emails.