The White House has urged widespread action to patch Microsoft Exchange servers following an ongoing attack that the company has blamed on China.

Jen Psaki, White House press secretary on Friday said: “This is an active threat. Everyone running these servers- government, private sector, academia – needs to act now to patch them.”

As GRC World Forums reported last week Microsoft has detected multiple zero-day attacks against on-premise versions of Microsoft Exchange Server.

Cybersecurity specialist Brian Krebs has since estimated that 30,000 organisations across the United States, including small businesses and local governments have been hit in the attack, which he terms ‘unusually aggressive Chinese-cyber espionage”

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive last week warning that the exploitation of the Microsoft Exchange on-premises products “poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action”. It is requiring federal agencies running the products to update or disconnect them until they have been patched

Microsoft’s Threat Intelligence Center attributes the attacks with “high confidence” to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

The threat actor uses vulnerabilities to access exchange servers enabling access to email accounts and allowing installation of malware.

Reuters has reported that the Chinese govenrment denies any involvement.

Microsoft said HAFNIUM primarily targets entities in the US across a range of sectors, particularly infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and non-government organisations (NGOs).

The hacker group has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, such as Covenant, for command and control, Microsoft said.

“Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file-sharing sites like MEGA,” it added.

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.