More than 20,000 American organizations have been compromised through a back door installed via a recently patched flaw in Microsoft Corp’s flagship email software program, a person familiar with the U.S. government’s response to the hacking spree said on Friday.
It is the latest indication of how problems in widely used software can be used as jumping-off points for wide-ranging digital espionage campaigns.
Microsoft, which had initially said the espionage campaign consisted of “limited and targeted attacks,” did not immediately return a message seeking comment.
A statement updated Friday from the Canadian Centre for Cyber Security (CCCS) said that it has learned of “malicious actors” who were “actively scanning using automated tools to identify unpatched servers.”
In an email to Global News, a spokesperson for the CCCS said that they could not disclose whether Canadian organizations or individuals were targeted in the attack as well.
The Cybersecurity and Infrastructure Security Agency did not immediately respond to an email.
Earlier on Friday, White House press secretary Jen Psaki told reporters that the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”
“We’re concerned that there’re a large number of victims,” Psaki said.
(Reporting by Raphael Satter in Washington Editing by David Gregorio and Matthew Lewis)
— With files from Global News
