Last week, Microsoft announced that the local version of your widely used Exchange email and calendar product had several security flaws not previously revealed. These flaws, the company said, were being used by foreign threats to break into the networks of U.S. companies and governments, primarily to steal large amounts of email data. Since then, the main question on everyone’s mind has been: how bad is it?
The short answer is:is very bad
So far, descriptors such as “huge crazy, ”“astronomical,” and “exceptionally aggressive”It seems to be right about the money. As a result of the Exchange vulnerabilities, tens of thousands of US-based entities are likely to have backdoors deployed on their systems. Anonymous sources close to the investigation have repeatedly told the press that somewhere about 30,000 American organizations have been compromised as a result of security breaches (if they are correct, these numbers officially lower SolarWinds, which has led to the commitment of some 18,000 domestic entities and nine federal agencies, according to the White House). The number of committed entities worldwide can be much higher. A source recently told Bloomberg that there are “at least 60,000 known victims globally.
Even more problematic, some researchers said that since the public disclosure of Exchange vulnerabilities, it appears that attacks on the product have actually accelerated. Anton Ivanov, a Kaspersky’s threat research specialist, said in an email that his team saw an increase in activity last week.
“From the beginning, we anticipated that attempts to exploit these vulnerabilities would increase rapidly, and that is exactly what we are seeing now – so far, we have detected such attacks in more than 100 countries, essentially in all parts of the world.” Ivanov told Gizmodo. “Even though the initial attacks may have been targeted, there is no reason for the actors not to try their luck by attacking essentially any organization that runs a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks and, therefore, organizations need to take protective measures as soon as possible. “
G / O Media can receive a commission
How are the attacks going?
Microsoft Exchange Server comes in two formats, which has created some confusion about which systems are at risk: there is an on-premises product and a software product as a cloud service. The cloud product, Exchange Online, is unaffected by security holes. As stated earlier, it is local products that are being explored. Other Microsoft email products are not considered to be vulnerable. How CISA said, “Neither the vulnerabilities nor the exploitation activity identified are currently known to affect Microsoft 365 or Azure Cloud deployments.
There are four vulnerabilities in the on-premises Exchange servers that are being actively explored (see: on here, on here, on here, and on here). Three others associated with security vulnerabilities exist, but authorities say they haven’t seen their active exploitation yet (see: on here, on here, and on here.) Patches can be found on the Microsoft website, however, as we will see in more detail later, there were some problems with proper implantation.
So far, Microsoft has mainly blamed a threat actor dubbed “HAFNIUM” for intrusions into Exchange. HAFNIUM is considered a state-sponsored group whose modus operandi involves exploiting security holes to deploy web shells – malicious scripts that can act as backdoors on systems. These web shells allow hackers to gain remote access to servers and then exfiltrate large chunks of email data, including entire inboxes. The aim of HAFNIUM appears to be to collect information. Although the group is believed to be based in China, the Chinese government has denied any responsibility.
However, security researchers say that other threat actors are almost certainly also involved in the exploitation of vulnerabilities. Security firm Red Canary reported over the weekend that they observed several clusters of activity targeting Exchange servers and that organizations should not assume that they are necessarily being targeted by HAFNIUM – it could be someone else. “Based on our visibility and that of Microsoft researchers, FireEye and others, there are at least 5 different groups of activities that appear to be exploiting the vulnerabilities,” said the Red Canary researcher. Katie Nickels on Saturday.
Who is being hit
Due to the widespread use of Exchange, many different types of entities are at risk. Some large organizations, including the European Banking Authority– have already announced violations. There is no word yet on whether the US government has been affected, although several agencies –including the Pentagon– are currently using their own networks to investigate whether they have been compromised.
Security researchers have expressed particular concern for minors entities – specifically city and county governments and small and medium-sized companies – which, according to them, are more at risk. In North Dakota, the state government recently admitted that he had been targeted by HAFNIUM and that he was investigating whether Chinese hackers had stolen data.
Lior Div, CEO of security firm Cybereason, said that smaller companies are at risk of being compromised by campaigns. Div emphasized the potential impact that this hack could have on local economies if The attacks prove to be more destructive than invasive:
“The newest attack on Microsoft Exchange is 1,000 times more devastating [than SolarWinds] because Chinese invaders target SMEs [small and medium size enterprises], the lifeblood of the US economy and the driver of the global economy, ”said Div, by email. “SMEs were most affected by the COVID-19 pandemic, with millions of company closings around the world. And just when we are starting to turn the corner after a devastating year, this attack on SMEs is launched. This attack is potentially even more damaging because SMEs typically do not have such a robust security posture in place, allowing threat agents to take advantage of the weak and generate strong revenue streams in this way. “
What is being done
The White House announced at the end of Sunday that he would be setting up a task force to investigate the extent of the hack. This answer it may be delayed, however, by the fact that the Biden government is already trying to find an answer to the SolarWinds hack (the White House is currently reflecting on secret cyber operations and sanctions against Russia, for its alleged role in the attacks).
As noted above, Microsoft has released patches for the vulnerabilities – but these patches have had some problems. On Thursday, a Microsoft spokesman noted that in certain cases, patches appear to work, but do not fix the vulnerability. ONE complete division on this subject can be found on the Microsoft website.
Organizations have been warned that they should not just fix vulnerabilities but you must also be investigating whether they have already been compromised. Microsoft announced resources to help with that. This published an update to your Security scan tool (MSERT) which can help identify whether web shells have been deployed to Exchange servers. MSERT is an anti-malware tool that searches for, identifies and removes malware on a system.
In addition to shoring-above defenses and inspection systems for evidence of compromise, there may not be much that can be done at this point. As with SolarWinds, Americans will probably just have to sit and wait. It will be definitely take the time to understand the extent of the damage.