The emergency security patch that Microsoft released a few days ago to fix four zero-day flaws in Exchange Server has not stopped the group of hackers who are exploiting them. In fact, according to Security Krebs and Wired, the Chinese state-sponsored group dubbed Hafnium has increased and automated its campaign after the patch was released. In the United States, the group has infiltrated at least 30,000 organizations using Exchange to process email, including police departments, hospitals, local governments, banks, credit unions, nonprofits and telecommunications providers. Worldwide, the number of victims reaches hundreds of thousands.
“Virtually everyone who runs self-hosted Outlook Web Access and hasn’t been patched a few days ago has been hit by a zero-day attack,” said a source Krebs. A former national security officer Wired I said said that thousands of servers are being compromised per hour worldwide. When Microsoft announced its emergency patch, it credited security company Volexity for notifying it of Hafnium’s activities. Volexity President Steven Adair now said that even the organizations that patched their servers the day Microsoft’s security update was released may have been compromised.
In addition, the patch will only fix Exchange Server vulnerabilities – those already compromised will still have to remove the back door that the group has planted on their systems. Hafnium is exploiting the flaws for planting “web shells” on its victims’ servers, giving them administrative access that they can use to steal information. According Krebs, Adair and other security experts are concerned that intruders will be able to install additional backdoors while victims work to remove those that are already installed.
Microsoft clarified from the beginning that these exploits have nothing to do with SolarWinds. That said, Hafnium’s activities can slow SolarWinds’ attacks on the number of victims. Authorities believe that about 18,000 entities were affected by the SolarWinds breach, as that was the number of customers who downloaded the malicious software update. How Wired notes, however, that Hafnium’s activities focus on small and medium-sized organizations, where SolarWinds hackers have infiltrated technology giants and large US government agencies.
When asked about the situation, Microsoft said Krebs which is working closely with the US Cybersecurity & Infrastructure Security Agency, along with other government agencies and security companies, to provide its customers with “additional investigation and mitigation guidance”.
So, what do you do now? (1) patching (if you haven’t already done so), (2) assuming you own it, looking for activity, (3) if you are unable to hunt or cannot find a team to help, disconnect and rebuild, (4) move to the cloud, (5) put one for the IR teams, they’ve had a difficult year (s).
– Chris Krebs (@C_C_Krebs) March 6, 2021