When the news arrives Earlier this week, when Chinese hackers were actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they were exploiting may have allowed them to reach numerous organizations around the world. It is now becoming clear only many email servers that they have hacked. Apparently, the group known as Hafnium violated the largest number of victims it managed to find on the global Internet, leaving behind backdoors to return to later.
Hafnium has now exploited zero-day vulnerabilities in Outlook Web Access on Microsoft’s Exchange servers to indiscriminately compromise no less than tens of thousands of email servers, according to sources with knowledge of the hacking campaign investigation that spoke to the company. WIRED. The intrusions, first detected by security company Volexity, started as early as January 6, with a noticeable increase last Friday and earlier this week. The hackers appear to have responded to Microsoft’s patch, released on Tuesday, by stepping up and automating their hacking campaign. A security researcher involved in the investigation who spoke to WIRED on condition of anonymity estimated the number of hacked Exchange servers at more than 30,000 in the United States alone and hundreds of thousands worldwide, all apparently in the same group. Independent cybersecurity journalist Brian Krebs first reported that number 30,000 on Friday, citing sources who informed national security officials.
“It’s huge. Absolutely huge,” a former national security officer with knowledge of the investigation told WIRED. “We are talking about thousands of servers compromised per hour, globally.”
At a press conference on Friday afternoon, White House press secretary Jen Psaki alerted anyone running the affected Exchange servers to implement the Microsoft patch for the vulnerabilities immediately. “We are concerned about the large number of victims and we are working with our partners to understand the scope of this,” said Psaki in a rare case of a White House press secretary commenting on specific cyber security vulnerabilities. “Network owners also need to consider whether they have already been compromised and must take appropriate action immediately.” This White House advice echoed a tweet from Chris Krebs, former director of the Cyber Security and Infrastructure Agency, Thursday night, advising anyone with an Exchange server exposed to “make a commitment” and initiate incident response measures to remove hacker access.
The affected networks, which probably include those of small and medium-sized organizations more than large companies that tend to use cloud-based email systems, appear to have been hacked indiscriminately through automated scanning. Hackers have planted a “web shell” – a web-based, remotely accessible backdoor support point – on the Exchange servers they have exploited, allowing them to perform reconnaissance on the target machines and potentially move to others computers on the network.
This means that only a small number of the hundreds of thousands of hacked servers worldwide are likely to be actively targeted by Chinese hackers, says Volexity founder Steven Adair. However, any organization that makes no effort to remove the hackers’ back door remains compromised, and hackers can re-enter their networks to steal data or cause confusion until the web shell is removed. “A large number of organizations are achieving this starting position,” says Adair. “It is a time bomb that can be used against them at any time.”
While the vast majority of intrusions appear to have consisted of just these web wrappers, the “astronomical” scale of these global commitments is exceptionally disturbing, said a security researcher who participated in the investigation to WIRED. Small to medium-sized organizations that have been compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports and prisons. “China only owns the world – or at least everyone with Outlook Web Access,” said the researcher. “When was the last time someone was so bold as to hit Worldwide? “