Victims of a massive global hack of Microsoft email server software – estimated in the tens of thousands by cybersecurity respondents – rushed on Monday to reinforce infected systems and try to lessen the chances that attackers could steal data or obstruct your networks.
The White House called the hack an “active threat” and said senior national security officials were addressing the issue.
The breach was discovered in early January and attributed to Chinese cyber-spies targeting US policy think tanks. Then, in late February, five days before Microsoft released a patch on March 2, there was an explosion of infiltrations from other intruders, hitching a ride on the initial breach. Victims manage the spectrum of organizations that manage e-mail servers, from small retailers to law firms, city governments, healthcare providers and manufacturers.
Although the hack does not represent the type of threat to national security, as the most sophisticated SolarWinds Campaign, which the Biden government attributes to Russian intelligence officials, could be an existential threat to victims who did not install the patch in time and now have hackers on their systems. The hack represents a new challenge for the White House, which, even as it prepares to respond to the SolarWinds breach, must now deal with a formidable and very different threat from China.
“I would say it is a serious threat to economic security because so many small businesses can literally have their business destroyed by a targeted ransomware attack,” said Dmitri Alperovitch, former technical director at cybersecurity company CrowdStrike.
He blames China for the global wave of infections that began on February 26, although other researchers say it is too early to safely attribute them. It is a mystery how these hackers learned of the initial breach because no one knew about it, except some researchers, said Alperovitch.
After the patch was released, a third wave of infections began, a stack that normally occurs in these cases because Microsoft dominates the software market and offers a single point of attack.
Cybersecurity analysts trying to gather a complete picture of the hack said their analysis agrees with the number of 30,000 victims in the United States published on Friday by cybersecurity blogger Brian Krebs. Alperovitch said that some 250,000 global casualties have been estimated.
Microsoft declined to say how many customers it believes are infected.
David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.
“Anyone who had Exchange installed was potentially vulnerable,” he said. “It is not each one, but it is a large percentage of them.”
Katie Nickels, director of intelligence at cybersecurity company Red Canary, warned that installing patches will not be enough to protect those who are already infected. “If you fix it today, it will protect you in the future, but if opponents are already in your system, you need to take care of that,” she said.
A smaller number of organizations were targeted in the initial invasion by hackers who took data, stole credentials or exploited internal networks and left backdoors at universities, defense companies, law firms and infectious disease research centers, the researchers said. Among those with whom Kennedy has worked are manufacturers concerned with theft of intellectual property, hospitals, financial institutions and managed service providers that host networks of various companies.
“On a scale of one to 10, that’s 20,” said Kennedy. “It was essentially a master key to starting any company that had this Microsoft product installed.”
Asked to comment, the Chinese embassy in Washington noted remarks last week by Foreign Ministry spokesman Wang Wenbin, saying that China “strongly opposes and combats cyber attacks and cyber theft in all forms” and warning that the attribution of cyber attacks must be based on evidence and not “unfounded accusations.”
The hack did not affect Microsoft 365 cloud-based email and collaboration systems, preferred by Fortune 500 companies and other organizations that can afford quality security. This highlights what some in the industry lament to be two classes of computing – the security “that has” and “does not have”.
Ben Read, director of analytics at Mandiant, said the cybersecurity company did not see anyone leveraging the hack to make financial gains, “but for people who are affected, time is of the essence in terms of fixing this problem.”
This is easier said than done for many victims. Many have skeletal IT staff and cannot afford an emergency cybersecurity response – not to mention the complications of pandemic.
Solving the problem is not as simple as clicking an update button on your computer screen. Requires updating an organization’s entire so-called “Active Directory”, which catalogs email users and their respective privileges.
“Taking down your email server is not something you do lightly,” said Alperovitch, who chairs the nonprofit think tank Silverado Policy Accelerator.
Tony Cole of Attivo Networks said the sheer number of potential victims creates a perfect “smoke screen” for nation-state hackers to hide a much smaller list of targets by tying already overworked cybersecurity workers. “There are not enough incident response teams to handle all of this.”
Many experts were surprised and perplexed at how the groups were quick to infect server installations before the release of the Microsoft patch. Kennedy, from TrustedSec, said Microsoft took too long to release a patch, although he doesn’t think he should have notified people about it before the patch was ready.
Steven Adair, from cybersecurity company Volexity, who alerted Microsoft to the initial intrusion, described a “mass and indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many different countries (including ) criminal actors “.
Cybersecurity Infrastructure and Security Agency issued an urgent warning about the hack on Wednesday and National Security Advisor Jake Sullivan tweeted about it the following night.
But the White House has yet to announce a specific initiative to respond.