On Tuesday the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued a “high alert” after it identified “extensive targeting” of Australian organisations and “confirmed compromises” of some, that it’s now working with to tackle.

It also warned that it had identified a “large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise”.

On Wednesday, Assistant Defence Minister Andrew Hastie warned Australian organisations should take immediate steps to urgently patch vulnerable systems, and go as far as disconnecting them from the internet if they can’t.

“Australian organisations cannot be complacent when it comes to cyber security, which is why all users of Microsoft Exchange are being urged to patch their vulnerable systems,” Assistant Minister Hastie said.

“If organisations are unable to quickly deploy these patches, they should consider preventing internet access to the exchange web server.”

According to the AFR some of the more than 7000 organisations include the ACT government and the CSIRO, which both said they’d patched the vulnerability within 24 hours of Microsoft releasing a fix.

Last week, cybersecurity researcher and journalist Brian Krebs reported 30,000 organisations had been compromised by an “unusually aggressive Chinese cyber espionage unit” that exploited flaws in Microsoft Exchange Server software, giving the hackers “total, remote control” over the systems affected.

The Microsoft Exchange Server software is widely used by organisations which maintain their own email servers (as opposed to relying on, for example, Google’s G Suite or Microsoft’s Office365 cloud services, which haven’t been affected).

Exchange has a capability called Online Web Access (OWA), which allows workers to access their emails while they aren’t connected to the same network or “intranet” at their workplace. Some organisations disable that capability and that could have stopped them being compromised.

Mr Krebs said the hackers had “seeded hundreds of thousands of victim organisations worldwide”.

RELATED: China’s dark ‘warning’ to rival

RELATED: Hackers access organisation’s database

His sources reported the cyber espionage group had “dramatically stepped up attacks on any vulnerable” servers that hadn’t been patched since Microsoft released emergency security updates last Tuesday.

But the patch doesn’t always help.

“Patching and mitigation is not remediation if the servers have already been compromised,” the White House National Security Council said on Sunday.

“It is essential that any organisation with a vulnerable server take immediate measures to determine if they were already targeted.”

RELATED: NSW hit by ‘very serious’ global hack

RELATED: Around 30,000 Aussies don’t know they were hacked

The US Computer Emergency Readiness Team (CERT) said it was “aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities”.

The US CERT sits in the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security.

Former CISA director Chris Krebs (not related to Brian) said the hack was “the real deal” and organisations should assume they have already been compromised. (Mr Krebs was previously fired by Donald Trump via tweet in November after CISA released a joint statement from several cybersecurity officials rejecting Mr Trump’s unproven claims of election fraud.)

RELATED: Woman dies after hospital hacked

RELATED: Elon thanks worker who foiled ‘serious attack’

Microsoft released the patch after it detected “multiple zero-day exploits”, thanks to reports from cybersecurity researchers at Volexity, which observed the hack in action as early as the day of the US Capitol riots on January 6.

A “zero-day” exploit is a previously unknown software security flaw, which gets its name from that fact developers have had “zero days” to respond.

There were four of them in Microsoft Exchange.

RELATED: Porn pauses teen hacker’s hearing

RELATED: Building hiding China’s secrets uncovered

Microsoft’s threat intelligence team has traced the hacks with “high confidence” to a group called Hafnium, which they’ve assessed as a “highly skilled and sophisticated” state-sponsored hacking group “operating out of China” but using virtual servers based in the US.

Microsoft said Hafnium had been targeting organisations with the hope of stealing information, targeting industry sectors including “infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs”.

According to Microsoft, Hafnium had a three-step approach to siphoning out the information.

First they gained access to the server, either by using stolen passwords or the security vulnerabilities to disguise themselves as someone who should have access.

Then they installed a “web shell” that would allow them to remotely control the compromised server, and used that remote access to steal data via the US-based servers.

RELATED: Hackers stole Australian defence data

RELATED: Russian intelligence ‘hacked virus vaccine’

Microsoft said it had yet to see evidence of everyday consumers being targeted and that the exploits don’t work on other Microsoft software commonly used by your average computer user.

But the compromises are spreading.

A day after initially attributing Hafnium as the “primary actor”, Microsoft announced it had continued “to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium”.

The White House is concerned, with an email from one official to Bloomberg revealing there was a “whole of government approach to assess and address the impact”.

RELATED: Stark warning: ‘Warfare has changed’

RELATED: China’s message in cyber attacks

Officials at the US Department of Homeland Security’s cybersecurity agency held phone briefings with state and local officials on Friday and Saturday according to Cyberscoop, which heard from one official at a state level that two state counties had already “seen some indicators of compromise”.

“Obviously this is a big F’ing deal,” the official told the publication.

Already the reported numbers of compromised organisations has doubled from 30,000 to 60,000, but the journalist Mr Krebs said two cybersecurity experts who were briefing US national security advisers had told him “hundreds of thousands” of servers around the world had been compromised.