Those responsible for cybersecurity are working 24 hours a day to strengthen the networks affected by last week’s hack of Microsoft’s Exchange email service – an attack that affected hundreds of thousands of organizations worldwide.
On Friday, the White House urged victims to fix the systems and emphasized the urgency: the window to update the systems can be measured in “hours, not days,” said a senior government official.
“This is a huge, crazy hack,” Christopher Krebs, former director of the US Infrastructure and Cybersecurity Security Agency (CISA), tweeted last week.
The consequences of the hack are still being measured. President Joe Biden was briefed on the attack and discussed it with leaders from India, Japan and Australia at a summit on Friday, said national security adviser Jake Sullivan. The National Security Council has set up a multi-agency government task force to deal with the massive breach.
The breach follows last year’s Russian hack, which used SolarWinds software to spread a virus across 18,000 private and government computer networks.
Nathan Ellgren / AP
“Solarwinds my bad. But the mass invasion that’s going on here is literally the biggest invasion I’ve seen in my fifteen years, “said David Kennedy, CEO of cybersecurity company TrustedSec.” In this specific case, there was no rhyme or reason for who [attackers] were hacking. It was literally hacking everyone who can in this short time window and causing as much pandemonium and chaos as possible. “
Here’s what you should know about the Microsoft Exchange exploit:
When did the attack start?
Hackers began sneaking up on Exchange servers “in early January,” according to cybersecurity company Volexity, which Microsoft credits for identifying early exploits.
According to Microsoft corporate vice president Tom Burt, hackers first gained access to an Exchange Server with stolen passwords or using previously unknown vulnerabilities, used to “disguise themselves as someone who should have access”. Using web shells, hackers controlled servers via remote access – operated from private servers based in the United States – to steal data from the victim’s network.
Who is behind the attack?
Microsoft has identified a China-based group known as “Hafnium” as the main actor behind the initial attacks.
The Hafnium group has historically targeted “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” wrote Burt on a company blog.
Omar Marques / SOPA Images / Sipa USA via AP Images
How did Microsoft respond?
Microsoft made the vulnerabilities public on March 2 and released “patches” for various versions of Exchange. Although Microsoft typically releases updates on the second Tuesday of each month – known as “Patch Tuesday” – its announcement came on the first Tuesday of the month, an indication of the urgency.
Days later, the company also took an unusual step in releasing security patches for outdated versions of Exchange Server.
A Microsoft spokesman told CBS News that the company was working closely with CISA, other government agencies and security companies. In a statement provided to CBS News last week, the company said: “The best protection is to apply updates as quickly as possible to all affected systems. We continue to assist customers by providing additional investigation and mitigation guidance. Affected customers must sign in. contact our support teams for additional help and resources. ”
How did the attack evolve?
Experts say it is common for hackers to step up an attack just before a fix, but that the pace was much faster in this case. “Since a patch is imminent, [hackers] it can resort to broader exploration because there is a ‘use it or lose it’ factor, “said Ben Read, director of threat analysis at cybersecurity company Mandiant.
But in late February, just days before Microsoft released its security patch, security researchers saw a second wave of automated attacks targeting victims across all sectors of the industry.
“They were very aggressive, essentially hacking everyone,” said Kennedy. Hackers have deployed backdoors known as “web shells” on systems, launching attacks against organizations “without rhyme or reason”. Kennedy added: “We haven’t seen this from China in the past.”
Microsoft said on Friday that it is investigating whether attackers have been informed that a fix is imminent. The internal investigation is focused on “what may have caused the increase in malicious activity” in late February, but investigators have not yet reached any conclusions. “We saw no indication of a Microsoft leak related to this attack,” a Microsoft spokesman told CBS News.
What did the hackers want?
The goal of hackers is not clear. “Tens of thousands of targets, most of which really have no intelligence value,” said Read. “They are just some kind of small towns and local businesses. Their information is probably of no value to the Chinese government.” Read called the “level of mass exploitation” of random viewers a “very rare” display of strength.
And what started as a hack led by Chinese hackers soon gave way to a growing frenzy of criminal gangs in other countries, including Russia.
At least 10 criminal spy groups have exploited flaws in the Exchange Server email program worldwide, the antivirus company ESET said in a blog on Wednesday.
Who was the target?
Cybersecurity experts told CBS News that tens of thousands of public and private entities in the United States have been hit. “Initially, the first estimates were that 30,000 people were hacked. We are seeing a much larger number now,” said Kennedy. “Globally, it’s definitely in the hundreds of thousands of servers that have been hacked.”
The list of victims worldwide continues to grow to include schools, hospitals, cities and pharmacies. Cyber security company CyberEye identified “a number of affected victims, including US-based retailers, local governments, a university and an engineering company” on a blog.
The European Banking Authority, the EU’s banking regulator, announced that it had been hit.
The attack largely avoided Fortune-500 companies and large organizations that migrated their servers to Microsoft Exchange Online – Microsoft’s cloud-based email and calendar service. But the widespread attack will be painful for smaller companies that run Microsoft Exchange on their local servers and less can afford to pay for cutting-edge security.
“The most worrying victims are, by far, small and medium-sized businesses that do not follow security news every day, who may not be aware that this massive patch exists,” said Katie Nickels, director of intelligence at the security company Red Canary cybernetics. CBS News. She added that notifying the victim represents a “major challenge”, given the large number of organizations affected. “What worries me most is everyone we don’t see,” she said.
Has the federal government been violated?
Authorities have not confirmed violations by any federal agency, Eric Goldstein, executive assistant director of CISA’s cybersecurity division, told lawmakers last week. “At the moment, there are no federal civilian agencies that have been confirmed as compromised by this campaign.”
But national security adviser Jake Sullivan said on Friday that the federal government “is still trying to determine the scope and scale” of the hack.
Cybersecurity and the Infrastructure Security Agency (CISA) said the breach “poses an unacceptable risk to the agencies of the Federal Civil Executive Branch” and issued an emergency directive on March 2 ordering all agencies to immediately implement a patch or disconnect from the Exchange Server if there is an impact.
What is the risk?
Cyber security companies say they have started watching hackers stealing network passwords and installing cryptocurrency mining malware on servers.
And Microsoft said in a dawn tweet On Thursday, a new type of “ransomware” was detected – a type of malicious software designed to block access to a computer until the victim pays a sum of money.
While companies may assume that their system is fixed after installing the Microsoft security patch, the emergency update does not expel attackers from servers, leaving already breached organizations susceptible to further exploitation.
“There is also a lot of concern now that China will sell these accounts” to malefactors, including “ransomware authors to inflict as much damage as possible,” said Kennedy. “So now is a very critical time for us.”
Is this connected to Solarwinds?
The latest attack is not connected to last year’s SolarWinds breach, although the timing of two consecutive cyber attacks has impaired responsiveness.
“The big impact on the industry is time,” said Nickels. “We have been in a pandemic for a year. People are working remotely and are exhausted and stressed.”
American officials told CBS News that while the SolarWinds hack has more national security implications, given the fact that the hackers in that attack accessed nine federal agencies, Microsoft’s attack is much more widespread.
“This is definitely bigger than the Solar Winds,” said Kennedy. “While [SolarWinds] it was bad, it didn’t even come close to all the systems here. “
“This hack is much louder and easier to detect, but the scale is what makes it so worrying,” said Nickels.
Senior White House government officials told reporters on Friday that the Biden government will announce executive action following the attack on SolarWinds. The White House is also unveiling a new executive order on cyberspace “in the coming weeks”, which includes a proposal to assign letter cybersecurity ratings to software providers used by the federal government.
It is not yet clear whether the next cyber executive order will also address the risks posed by the latest Microsoft Exchange hack.
Russian and Chinese officials have denied any responsibility. Last week, Foreign Ministry spokesman Wang Wenbin said that China “strongly opposes and combats cyber attacks and cyber theft in all forms”.
Margaret Brennan contributed to this report.