State-sponsored hackers delay new Microsoft Exchange server by four years

State-sponsored cyberattacks on Microsoft Exchange servers throughout 2021 are the reason the latest version of the on-premises mail and calendar server will be delayed by four years, Microsoft said.

A new version of Microsoft Exchange Server was originally on the way for a H2 2021 release, but Microsoft updated its roadmap delaying the release to H2 2025 due to the time it took developers to improve security at the time. following the Hafnium attacks.

Hafnium is a state-sponsored hacking group that Microsoft has previously said has ties to China. In 2021, Hafnium attacked Microsoft Exchange servers systematically using a host of zero-day vulnerabilities to exfiltrate victim information across various industries.

Along with an additional four-year wait for the next release, IT admins can expect to learn more about new features, pricing, requirements, and naming from the updated release in the first half of the year. 2024.

Microsoft also said the latest version will require server licenses and client access licenses (CALs) and will only be available to customers with Software Assurance – a service pack that automatically provides customers with licenses for the latest software releases.

The current support dates for Exchange Server 2013 (April 11, 2023), Exchange Server 2016 (October 14, 2025), and Exchange Server 2019 (October 14, 2025) remain unchanged.

The next version of Exchange Server will transition to Microsoft’s Modern Lifecycle Policy, which does not set end-of-life (EOL) dates for products or services, but continues to offer support as long as there is has a demand in the market.

Customers running Exchange Server 2019 might have an easier time upgrading to the new version when the time comes, Microsoft hinted.

After addressing previously known upgrade issues related to hardware requirements and mailbox migration, Microsoft is introducing an in-place upgrade capability to Exchange Server 2019 and recommends all customers upgrade to the version “as soon as possible”.

Hafnium Server Headquarters

Last year, the China-linked state-sponsored hacking group exploited a string of zero-day vulnerabilities in Microsoft Exchange, resulting in hacks on hundreds of thousands of businesses.

Microsoft said at the time that the group was known to collect data from various types of organizations, including those in the medical, educational, military, NGO and political sectors.

Based in China but operating from US-based virtual private servers (VPS), Hafnium gained access to Exchange servers, installed a web shell for remote control and stole data.

The White House was particularly concerned about the threat to national security and urged all companies to patch their Exchange servers to the latest version on a priority basis at the time.

More than a month after the exploits were made public, US government agencies were still finding unpatched Exchange Server vulnerabilities in their systems.

Experts said that if organizations had not patched on release day, chances are the environment is already compromised and the web shell has already crashed.

It was later revealed that Microsoft first became aware of zero-day exploits in January 2021, two months before Hafnium’s activity ramp-up in March.

Hafnium’s exploit chain was eventually used in separate attacks throughout the year, including the Qakbot and SquirrelWaffle malspam campaigns spreading through unpatched servers in October 2021.

Microsoft’s work so far

The delay in the latest version of Microsoft Exchange Server is due to the fact that Microsoft security experts have been forced to work throughout 2021 to combat massive attacks from exploits used by Hafnium.

He said work on the new version had stalled as the team was busy pushing out-of-band security updates, a one-click mitigation tool – which was later integrated as a core feature. Exchange Server and integrating other services to improve service security for IT administrators.

It also launched a bug bounty program for Exchange Server and Office Server under the Microsoft Applications and On-Premises Servers Bounty program to improve the company’s collaboration with the private sector and independent security researchers and, in ultimately improve the security of Exchange Server.

Featured Resources

Accelerate your business with hybrid cloud

Harness the benefits of cloud and on-premises

Free download

Unified Endpoint Management Solutions 2021-22

Analyze the EMU landscape

Free download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits with storage built with IBM Spectrum Virtualize

Free download

The COO’s Pocket Guide to Enterprise-Scale Intelligent Automation

Automate more cross-company and expert work for better value flow for customers

Free download

Comments are closed.