Four exploits found in Microsoft’s Exchange Server software have reportedly led more than 30,000 U.S. government and commercial organizations to have their email hacked, according to a report by KrebsOnSecurity. Wired it is also reporting “tens of thousands of hacked email servers”. The exploits have been fixed by Microsoft, but security experts are talking to Krebs they say the detection and cleaning process will be a major effort for the thousands of state and municipal governments, firefighters and police, school districts, financial institutions and other organizations that have been affected.
According to Microsoft, the vulnerabilities allowed hackers to gain access to email accounts and also gave them the ability to install malware that could allow them to return to those servers later.
Krebs and Wired report that the attack was carried out by Hafnium, a Chinese hacking group. Although Microsoft did not speak about the scale of the attack, it also points to the same group as having exploited the vulnerabilities, saying it has “high confidence” that the group is sponsored by the state.
According KrebsOnSecurity, the attack has been underway since January 6 (the day of the riot), but increased in late February. Microsoft released its patches on March 2, meaning that attackers had almost two months to carry out their operations. The president of cybersecurity company Volexity, who discovered the attack, said Krebs that “if you’re running Exchange and haven’t fixed it yet, there’s a high chance that your organization is already compromised”.
Both the White House National Security Advisor, Jake Sullivan, and former director of the Cyber Security and Infrastructure Agency, Chris Krebs (unrelated to KrebsOnSecurity) tweeted about the seriousness of the incident.
This is the real deal. If your organization runs an OWA server exposed to the Internet, assume the commitment is between 2/26/03. Check for 8-character aspx files in C: \ inetpub wwwroot aspnet_client system_web . If you can get this survey right, you are now in incident response mode. https://t.co/865Q8cc1Rm
– Chris Krebs (@C_C_Krebs) March 5, 2021
Microsoft has released several security updates to address the vulnerabilities and suggests that they be installed immediately. It is important to note that if your organization uses Exchange Online, it will not have been affected – exploitation was present only in self-hosted servers running Exchange Server 2013, 2016 or 2019.
While a large-scale attack, probably carried out by a state organization, may seem familiar, Microsoft makes it clear that the attacks “are in no way connected” to the SolarWinds attacks that plagued US federal government companies and agencies last year.
It is likely that there are still details about this hack – so far, there has not been an official list of organizations that have been compromised, just a vague image of the large scale and high severity of the attack.
A Microsoft spokesman said the company is “working closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies and security companies, to ensure that we are providing the best guidance and mitigation possible for our customers, ” and this “[t]The best protection is to apply updates as quickly as possible to all affected systems. “