Thousands of Microsoft Exchange servers are still compromised by hackers even after applying fixes, a top U.S. cybersecurity official said Monday, citing data from cybersecurity companies.
Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said owners of the email servers that were compromised before Microsoft Corp. issued a patch nearly three weeks ago must take additional measures to remove the hackers from their networks.
Microsoft has previously warned that patching won’t evict a hacker who has already compromised a server.
“We remain committed to supporting our customers against these attacks, to innovating on our security approach, and to partnering closely with governments and the security industry to help keep our customers and communities secure,” a Microsoft spokesperson said on Monday.
The servers that remain compromised could be used as a launching pad for criminal hackers to initiate ransomware attacks on computer networks, in which files are encrypted and held ransom in exchange for a payment. Reports of ransomware attacks inside compromised networks have so far been sparse.
Last week, Microsoft released a tool that allows owners of on-premise Exchange servers to patch the security flaws with one click. But hackers may have already breached those servers and can sit inside computer networks even after the fix is applied. Microsoft has said the attack started with a Chinese government-backed hacking group that was accused of exploiting previously unknown vulnerabilities in Microsoft’s widely used Exchange business email software.
About 45% of the vulnerable systems had been patched over the past week, a National Security Council spokesperson said. There are now fewer than 10,000 vulnerable systems remaining in the U.S., down from at least 120,000 at the start.