State-sponsored hackers delay new Microsoft Exchange Server by four years

State-sponsored cyber assaults on Microsoft Exchange servers all through 2021 are the explanation why the most recent model of the on-prem mail and calendaring server can be delayed by four years, Microsoft mentioned.

A new model of Microsoft Exchange Server was initially on the right track for an H2 2021 launch however Microsoft has up to date its roadmap delaying the discharge to H2 2025 because of the time it took builders to enhance safety within the wake of the Hafnium assaults.

Hafnium is a state-sponsored hacking group Microsoft has beforehand mentioned is linked to China. In 2021, Hafnium attacked Microsoft Exchange servers constantly utilizing a flurry of zero-day vulnerabilities to exfiltrate info from victims throughout varied enterprise verticals.

In addition to an additional four-year look ahead to the subsequent model, IT admins can count on to listen to extra concerning the new options, pricing, necessities, and naming of the up to date model within the first half of 2024.

Microsoft additionally said the most recent model would require Server licenses and Client Access Licenses (CALs) and will solely be accessible to prospects with Software Assurance – a service pack that robotically gives prospects with licenses to the most recent variations of software program. 

The present assist dates for Exchange Server 2013 (11 April 2023), Exchange Server 2016 (14 October 2025), and Exchange Server 2019 (14 October 2025) are unchanged. 

The subsequent model of Exchange Server will transfer to Microsoft’s Modern Lifecycle Policy which doesn’t set end-of-life (EOL) dates for services or products however continues to supply assist so long as there may be demand for it out there.

Customers working Exchange Server 2019 could have a neater time upgrading to the new model when the time comes, Microsoft hinted.

After resolving beforehand identified upgrading points regarding {hardware} necessities and mailbox migration, Microsoft is introducing an in-place improve functionality to Exchange Server 2019 and recommends all prospects improve to the model “as quickly as doable”.

Hafnium’s server siege

Last 12 months, the Chinese-linked state-sponsored hacking group exploited a series of zero-day vulnerabilities in Microsoft Exchange, resulting in hacks on hundreds of thousands of businesses. 

Microsoft mentioned on the time that the group was identified for harvesting knowledge from varied kinds of organisations together with these within the medical, training, navy, NGO, and coverage sectors.

Based in China however working from US-based digital personal servers (VPS), Hafnium gained access to Exchange Servers, put in an internet shell for distant management, and stole knowledge.

The White House was particularly involved concerning the menace to nationwide safety and urged all companies to patch their Exchange servers to the most recent model as a matter of precedence, on the time.

More than a month after the exploits grew to become public data, US government agencies were still finding unpatched Exchange Server vulnerabilities in their systems.

Experts mentioned that if organisations hadn’t patched on the day of launch, there was a robust likelihood that the surroundings was already compromised, and the net shell had already been planted.

It was later revealed that Microsoft first grew to become conscious of the zero-day exploits in January 2021, two months earlier than Hafnium’s exercise ramping up in March.

Hafnium’s exploit chain was in the end utilized in separate assaults all year long, specifically by the Qakbot and SquirrelWaffle malspam campaigns spreading via unpatched servers in October 2021.

Microsoft’s work to date

The delay to the most recent model of Microsoft Exchange Server got here on account of Microsoft’s safety specialists being compelled to work all through 2021 to fight the heavy assaults from the exploits used by Hafnium. 

It mentioned that work on the new launch was stalled because the workforce was busy pushing out-of-band safety updates, a one-click mitigation tool – which was later built-in as a core characteristic of Exchange Server and integrating different providers to enhance the safety of the service for IT admins.

It additionally launched a bug bounty programme for Exchange Server and Office Server below the Microsoft Applications and On-Premises Servers Bounty Program to enhance the corporate’s collaboration with the personal sector and unbiased safety researchers and in the end enhance the safety of Exchange Server.