RiskIQ: 69,548 Microsoft Exchange servers still vulnerable

Tens of thousands of Microsoft Exchange servers remain available for threat actors to attack even after significant patching and guidance from Microsoft.

Threat intelligence vendor RiskIQ told SearchSecurity that 69,548 Microsoft Exchange servers remain unpatched as of Sunday. This information comes two weeks after Microsoft's initial disclosure and patching on March 2, and follows the reported mass exploitation of multiple zero-days impacting on-premises Exchange servers.

A RiskIQ spokesperson also sent a regional breakdown of vulnerable servers to SearchSecurity. The U.S. led the pack with 16,894 vulnerable servers, followed by Germany with 7,843, Italy with 3,814 and France with 3,779.

RiskIQ, which is currently working with Microsoft in their response to zero-day-related issues, published a blog post last Friday that provided more insight into the number of vulnerable servers remaining. According to the post, there were 400,000 on-premises Exchange servers that needed to be updated on March 2. After the initial set of updates, the number of unpatched servers dropped to "more than 100,000 servers."

82,731 servers remained vulnerable on March 11, the day before the blog post went live. That now slightly outdated number accounted for "at least 312 banks, 335 healthcare, 105 pharma, and 153 servers ending with .gov," among those impacted. In addition, Exchange 2016 was the most exposed server type.

Another threat intelligence vendor, Kryptos Logic, tweeted Sunday that it had found 62,018 vulnerable Exchange servers in a scan it performed.

In an effort to protect remaining vulnerable organizations, Microsoft released a "one-click mitigation tool" Monday "to help customers who do not have dedicated security or IT teams to apply these security updates," according to the blog post announcing the tool.

While not a replacement for installing a full update, the tool gives unpatched customers an interim mitigation for ProxyLogon, the zero-day at the center of the recent Exchange Server attacks. The tool also provides an Exchange Server scan and attempts to "reverse any changes made by identified threats," the blog post read.

Microsoft previously released two other free tools for Exchange customers that detect indicators of compromise related to exploitation of ProxyLogon, as well as malicious web shells that attackers can use as backdoors into compromised servers.

The ProxyLogon attacks continue to escalate. Last week researchers detected a new ransomware variant known as "DearCry" that was being used in attacks against vulnerable Exchange servers.

Alexander Culafi is a writer, journalist and podcaster based in Boston.