On March 2, Microsoft released an emergency security update for its Microsoft Exchange email and communications software, patching a security hole in versions of the software going back to 2013. But as customers slowly update their systems, there are signs that at least 30,000 organizations across the US have already been hit by hackers who stole email communications from their systems.
The attacks, which were reported by security expert Brian Krebs on Friday, have hit infectious-disease researchers, law firms, defense contractors, higher education institutions and nongovernmental organizations. Krebs said the researchers who identified the flaw had seen attackers exploiting the vulnerability two months ago.
Microsoft said it's working with the US government to provide guidance for its customers.
"The best protection is to apply updates as soon as possible across all impacted systems," Microsoft said in a statement to Krebs. "We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources." Microsoft didn't immediately respond to a request for comment.
Some of the most high-profile attacks over the years have been a result of hackers targeting organizations slow to update their software. Hackers stolefrom Equifax by exploiting a vulnerability that would've been patched . Hackers have also used patched software vulnerabilities to attack systems of state and local governments, who are .
That's likely why the White House took the dramatic step of raising the alarm. On Thursday, National Security Advisor Jake Sullivan urged companies to update their software, and White House Press Secretary Jen Psaki discussed the hack during her daily press briefing on Friday.
"This is a significant vulnerability that could have far-reaching impacts," Psaki said. "First and foremost, this is an active threat."