In the past few days, at least 30,000 organizations in the United States – including a significant number of small businesses, towns, cities and local governments – have been invaded by an unusually aggressive Chinese cyber espionage unit that focuses on stealing emails from victim organizations, several sources say KrebsOnSecurity. The espionage group is exploring four newly discovered flaws in the Microsoft Exchange Server e-mail software and seeded hundreds of thousands of victim organizations around the world with tools that give attackers complete and remote control over the affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in versions of Exchange Server from 2013 to 2019 that hackers were actively using to divert email communications from Internet-facing systems running Exchange .
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically increased attacks on any vulnerable and unpatched Exchange server worldwide.
In each incident, attackers left behind a “web shell”, an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that provides attackers with administrative access to the victim’s computer servers. .
Speaking on condition of anonymity, two cybersecurity experts who informed U.S. national security advisers of the attack told KrebsOnSecurity that the Chinese hacker group held responsible has taken control of “hundreds of thousands” of Microsoft Exchange Servers across the world. world – with each victim system roughly representing an organization that uses Exchange to process email.
Microsoft said that the Exchange flaws are being targeted by a previously unidentified Chinese hacking team that dubbed “Hafnium”, and said the group had been conducting targeted attacks on e-mail systems used by various sectors of the industry. , including infectious disease researchers, law firms, etc. educational institutions, defense companies, policy think tanks and NGOs.
Microsoft’s initial statement on Exchange failures credited Volexity, based in Reston, Va., For reporting the vulnerabilities. President Volexity Steven Adair said the company first saw attackers silently exploiting Exchange bugs on January 6, 2021, a day when most of the world was glued to the television coverage of the riot at the United States Capitol.
But Adair said that in the past few days the hacker group had moved to high speed, moving quickly to scan the Internet for Exchange servers that were not yet protected by these security updates.
“We’ve worked on dozens of cases so far in which web shells were placed on the victim’s system on February 28 [before Microsoft announced its patches], until today ”, said Adair. “Even if you fixed it the same day that Microsoft published its patches, there is still a high chance that there will be a web shell on your server. The truth is, if you’re running Exchange and haven’t fixed it yet, there’s a high chance that your organization is already compromised. “
Sought to comment, Microsoft said it is working closely with the US Cyber Security and Infrastructure Agency (CISA), other government agencies and security companies, to ensure that it is providing the best guidance and mitigation possible to its customers.
“The best protection is to apply updates as quickly as possible to all affected systems,” said a Microsoft spokesman in a written statement. “We continue to help customers by providing additional research and mitigation guidance. Affected customers should contact our support teams for additional help and resources. “
Adair said he received dozens of calls today from state and local government agencies that have identified backdoors on their Exchange servers and are begging for help. The problem is that fixing the flaws only blocks the four different ways that hackers are using to enter. But it does nothing to undo the damage that may have already been done.
Apparently, the eradication of these invaders will require an unprecedented and urgent national cleanup effort. Adair and others say they are concerned that the longer it takes victims to remove the rear doors, the more likely it is that attackers will follow up by installing additional rear doors and perhaps extending the attack to include other parts of the network infrastructure. victim.
Security researchers have published a tool in Microsoft’s Github code repository that allows anyone to scan the Internet for Exchange servers that have been infected with the backdoor shell.
KrebsOnSecurity saw parts of a list of victims compiled when running this tool, and it is not a pretty image. The backdoor web shell is present in the networks of thousands of organizations in the United States, including banks, credit unions, non-profit organizations, telecommunications providers, utilities and police, fire and rescue units.
“There are police departments, hospitals, tons of municipal and state governments and credit unions,” said a source who is working closely with federal authorities on the issue. “Virtually everyone who runs self-hosted Outlook Web Access and hasn’t been patched a few days ago has been hit by a zero-day attack.”
Another government cybersecurity expert who participated in a recent liaison with several stakeholders impacted by this wave of hackers fears that the necessary cleaning effort will be Herculean.
“In the call, many questions were from school districts or local governments that need help,” said the source, speaking on condition that they were not identified by name. “If those numbers are in the tens of thousands, how do you respond to incidents? There are simply not enough incident response teams to do this quickly. “
When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (email hosted in the Microsoft cloud for businesses). But sources say the vast majority of organizations victimized so far are running some type of Microsoft Outlook Web Access (OWA) e-mail system aimed at the Internet in conjunction with Exchange servers internally.
“It’s a question worth asking: what is Microsoft’s recommendation going to be?” Said the government’s cybersecurity expert. “They will say ‘Patch, but it is better to go to the cloud.’ But how are they protecting their non-cloud products? Letting them wither on the vine. “
The government’s cybersecurity expert said that this latest round of attacks is not characteristic of the types of nation-state-level hacking normally attributed to China, which tends to be very focused on compromising specific strategic targets.
“It is unwise,” said the source. “It seems strange that Chinese state actors are so indiscriminate.”]
Microsoft said Hafnium’s forays into vulnerable Exchange servers are in no way connected to SolarWinds-related attacks, in which an alleged Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerabilities in Microsoft products and services,” said the company.
However, the events of the past few days can greatly eclipse the damage done by SolarWinds attackers.
This is a story that moves quickly and will likely be updated several times throughout the day. Stay tuned.
Tags: Hafnium, Microsoft Exchange server failures, Steven Adair, Volexity
This entry was posted on Friday, March 5th, 2021 at 16h07 and is filed under Latest notices, The storm that is approaching, Time to correct. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.