Security News > 2021 > May > Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days
Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Server, according to Palo Alto Networks.
Although research director Rob Rachwald did not elaborate when The Register asked for more detail on its findings, a released report reckoned "Scans began within 15 minutes after Common Vulnerabilities and Exposures announcements were released between January and March."
Around a third of "Overall security issues" noticed by Palo Alto related to poorly configured remote desktop protocol setups, with cloud environments being responsible for 80 per cent of "Critical" vulns spotted during what the company described as scans of "The public-facing internet attack surface of some of the world's largest businesses."
The finding about time-of-flight between vuln disclosure and malicious scan hunting for exploitable deployments chimes with previous research on the same topic: last summer a SANS researcher noticed fresh honeypots were being probed for newly patched Citrix vulns - ironically he was hoping for attackers to try to exploit known vulns in F5 Networks gear at the time.
Last year's Netlogon vuln, which allowed attackers to bypass logon authentication and gain domain admin-level privileges on vulnerable networks, was being actively exploited a month after Microsoft emitted patches amid top-grade warnings about the critical security risk that the flaw, CVE-2020-1472, posed.
Being slow to patch has consequences, as the EU Banking Authority found out a week after patches were made available for the Hafnium Exchange vulns; the organisation had to pull its email servers offline after being compromised, as did the Norwegian Parliament.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/
Related news
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 0.0 |