At least 30,000 organizations in the United States – including a significant number of small businesses, cities and local governments – have been hacked in recent days by an unusually aggressive Chinese cyber espionage unit that focuses on stealing emails from victim organizations, multiple sources say KrebsOnSecurity. The spy group uses four newly discovered flaws Microsoft Exchange Server email software and has created hundreds of thousands of victim organizations around the world with tools that give attackers full, remote control over the affected systems.
On March 2, Microsoft released emergency security updates to fill four security holes in versions of Exchange Server from 2013 to 2019 that hackers actively used to retrieve email communications from systems sent to the Internet running Exchange.
In the three days since then, security experts have said that the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unadulterated Exchange servers around the world.
In each incident, the intruders left a “web shell,” an easy-to-use, password-protected hacking tool that could be accessed over the Internet from any browser that gave attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who briefed U.S. national security advisers on the attack told KrebsOnSecurity that the Chinese hacker group believed to be responsible had taken control of “hundreds of thousands” of Microsoft servers. Exchange Worldwide – Each victim system represents approximately one organization that uses Exchange to process emails.
Microsoft said the stock market’s shortcomings were targeted by an unidentified Chinese hacking team called Hafnium, and said the group had carried out targeted attacks on email systems used by a number of industry sectors, including infectious disease researchers. companies, educational institutions, defense contractors, political think tanks and NGOs.
Microsoft’s initial recommendations on Exchange flaws attributed Relex, VA-based Volexity to reporting the vulnerabilities. Volexity President Stephen Ader said the company first saw attackers quietly exploiting stock market errors on January 6, 2021, a day when much of the world was glued to television coverage of the Capitol riot in the United States.
But Adair said the hacker group has moved at high speed in the past few days, moving quickly to scan the Internet for Exchange servers that have not yet been protected by these security updates.
“So far, we have worked on dozens of cases in which web shells were placed in the victims’ system on February 28. [before Microsoft announced its patches], until today – said Adir. “Even if you patched the same day Microsoft published its fixes, there’s still a good chance there’s a web shell on your server. The truth is, if you’re using Exchange and you haven’t patched it yet, there’s a good chance your organization is already compromised. “
Reached a comment, Microsoft said it was working closely with US Cyber Security and Infrastructure Security Agency (CISA), other government agencies and security companies to ensure that it provides the best possible guidance and mitigation measures for its clients.
“The best protection is to apply updates as soon as possible to all affected systems,” a Microsoft spokesman said in a written statement. “We continue to help customers by providing additional guidance for investigation and mitigation. Affected customers should contact our support teams for additional assistance and resources. “
Adair said it sent dozens of calls today from state and local government agencies that have identified the back doors on their Exchange servers and are asking for help. The problem is that fixing bugs only blocks the four different ways hackers use to get in. But this does nothing to repair the damage that may have already been done.
It seems that eradicating these intruders will require unprecedented and urgent cleaning efforts across the country. Adair and others say they worry that the longer it takes for victims to remove the tailgate, the more likely offenders are to take action by installing additional tailgates and possibly extending the attack to include other parts of the network. victim infrastructure. .
Security researchers have released a tool in Microsoft’s Github code repository that allows anyone to scan the Internet for Exchange servers that are infected with a backdoor.
KrebsOnSecurity has seen parts of a victim list compiled by launching this tool, and it’s not a pretty picture. The Web cover is present in the networks of thousands of American organizations, including banks, credit unions, nonprofits, telecommunications providers, utilities and police, and fire and rescue agencies.
“These are police departments, hospitals, tons of city and state governments and credit unions,” said a source working closely with federal officials on the issue. “Almost everyone who runs self-hosted Outlook Web Access and was not patched a few days ago was hit with a zero-day attack.”
Another government cybersecurity expert, who was involved in a recent conversation with a number of stakeholders affected by this hacking mania, worries that the clean-up effort needed will be Herculean.
“During the conversation, many questions were from school districts or local governments, all of which need help,” the source said, speaking on condition that they were not identified by name. “If those numbers are tens of thousands, how do you react to accidents?” There just aren’t enough incident response teams to do it fast. “
When it released fixes for the four flaws in Exchange Server on Tuesday, Microsoft stressed that the vulnerability did not affect customers running its Exchange Online service (a cloud-hosted email for Microsoft’s business). But sources say most victims of organizations currently work with some form of Internet e-mail e-mail systems on Microsoft Outlook Web Access (OWA) in tandem with Exchange servers internally.
“A question worth asking, what will be Microsoft’s recommendation?” Said the government’s cybersecurity expert. “They’ll say ‘Patch, but you’d better go to the cloud.’ But how do they secure their products that are not in the cloud? Leaving them to dry on the vine. “
The government’s cybersecurity expert said that this latest round of attacks is uncharacteristic of the types of national hacking commonly attributed to China, which usually focuses on compromising specific strategic goals.
“It’s reckless,” the source said. “It seems uncharacteristic of Chinese statesmen to be so indiscriminate.”]
Microsoft said Hafnium’s attacks on vulnerable Exchange servers were in no way related to the individual SolarWinds attacks in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds has discovered or exploited any vulnerabilities in Microsoft products and services,” the company said.
Nevertheless, the events of the last few days may ultimately overshadow the damage caused by SolarWinds intruders.
This is a quick story and will probably be updated several times a day. Stay on the line.
Tags: Hafnium, Microsoft Exchange server flaws, Stephen Adair, Volexity
This entry was posted on Friday, March 5th, 2021 at 4:07 pm and is filed under Latest Alerts, Upcoming Storm, Patch Time. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is currently not allowed.