'Critical alert' issued for email systems

A "critical alert" has been issued to Australian organisations using Microsoft Exchange to send and receive emails after the tech giant found significant new vulnerabilities.

The Australian Cyber Security Centre on Wednesday said Microsoft had identified "significant newly discovered vulnerabilities" in Microsoft Exchange 2013, 2016 and 2019 allowing attackers to gain and persist access.

Patches released in March do not remediate these new vulnerabilities and new updates released on Tuesday must be applied to prevent potential compromise, it said.

"Organisations should apply new patches as soon as possible and also undertake detection steps outlined in Microsoft guidance," ACSC said in an alert labelled "critical".

Businesses should investigate the possibility of exploitation "as a matter of priority" as deploying patches alone was no longer deemed sufficient.

Microsoft said it had not seen the problems being exploited so far, but hackers will study the new patches to see what they are fixing, then deploy attacks against unpatched machines.

"Customers using Exchange Online are already protected and do not need to take any action," it said.

The new flaws come on top of those used in a flood of attacks earlier this year that compromised more than 20,000 US on-premises Exchange servers handling web versions of Outlook mail.

ACSC said it has identified extensive targeting and confirmed compromises of local organisations with vulnerable Microsoft Exchange deployments.

A "large number" of Australian organisations are yet to patch vulnerable Exchange versions.

Given cybercriminals' prior use of publicly disclosed vulnerabilities to conduct ransomware campaigns, ACSC said it expected vulnerable Australian systems would be targeted by ransomware.