The bugs were publicly disclosed on March 2, when the Redmond-based tech giant announced not only patches for them, but also the fact that a Chinese threat actor had been actively exploiting them in attacks.
Within days, security researchers revealed that multiple adversaries were quick to pick up exploits for the Exchange bugs, but also that some had been targeting the flaws even before patches were released. The first known exploitation attempt is dated January 3, 58 days before public disclosure.
Over the course of last week, Microsoft released additional fixes for these vulnerabilities, including security updates (SUs) for older and unsupported Exchange Server versions, or Cumulative Updates (CU), as the company calls them.
“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs,” Microsoft said.
With the latest set of released updates, more than 95% of the Exchange Server versions that are exposed to the Internet are covered, yet tens of thousands of machines remain vulnerable. Microsoft revealed that, as of March 12, more than 82,000 Exchange servers were still left to be updated (out of 400,000 identified on March 1).
Last week, ESET reported that more than 10 threat actors were observed targeting vulnerable Exchange servers. Ransomware operators also started targeting the flaws, and the overall number of attacks aimed at the Exchange zero-days grew exponentially over the course of several days only.
On Sunday, security researchers at Check Point pointed out that “the number exploitation attempts multiplied by more than 6 times” within “the past 72 hours alone,” adding that they had identified more than 4,800 exploits and hundreds of compromised organizations worldwide.