White House warns of ‘active threat’ from Microsoft email hackers

White House warns of ‘active threat’ from Microsoft email hackers

by

“This is an active threat,” White House press secretary Jen Psaki said on Friday. “Everyone who manages these servers – government, private sector, academia – needs to act now to correct them.”

Psaki’s warnings followed a tweet by national security adviser Jake Sullivan on Thursday night who stressed how concerned the Biden government is. He asked IT administrators across the country to install software patches immediately. Sullivan said the United States government is monitoring reports that U.S. think tanks may have been compromised by the attack, as well as “defense-based industrial entities”.

Later on Friday, the Cybersecurity and Infrastructure Security Agency highlighted the risk in unusually simple language, stating in a tweet that malicious activity, if left unchecked, could “allow an attacker to gain control of an entire corporate network” .

In a rare step, White House officials urged private sector organizations that run localized installations of Microsoft Exchange server software to install several critical updates that were released in what information security experts described as an emergency patch release. .

Microsoft says a group of cyber attacks linked to China hit its Exchange email servers
Cyber ​​security firm FireEye said on Thursday that it had already identified several specific victims, including “retailers based in the United States, local governments, a university and an engineering company”.

Pentagon press secretary John Kirby told reporters on Friday that the Department of Defense is working to determine whether it has been negatively affected by the vulnerability.

“We are aware of this and assessing it,” said Kirby. “And that is really as far as I am able to go now.”

Microsoft disclosed this week that it became aware of several vulnerabilities in its server software that are being exploited by alleged Chinese hackers. In the past, said Microsoft, the responsible hacking group – which Microsoft is calling Hafnium – has pursued “infectious disease researchers, law firms, higher education institutions, defense companies, policy think tanks and NGOs “. The group in question had not been previously identified to the public, according to Microsoft.
The announcement marked the latest information security crisis that hit the United States after FireEye, Microsoft and others reported a suspected hacking campaign in Russia that began by infiltrating IT software company SolarWinds. This effort resulted in the commitment of at least nine federal agencies and dozens of private companies.

But the malicious activity disclosed this week is in no way related to the SolarWinds hack, Microsoft said on Tuesday.

Microsoft typically releases software updates on the second Tuesday of each month. But as a sign of the seriousness of the threat, Microsoft published patches that address the new vulnerabilities – which had never been detected until now – a week earlier.

‘We urge network operators to take this very seriously’

The Department of Homeland Security also issued an emergency policy on Tuesday requiring federal agencies to update their servers or disconnect them. It is only the sixth such directive since the formation of CISA in 2015, and the second in three months.

“We ask network operators to take this very seriously,” said Psaki of the directive. The government is concerned about “a large number of victims,” ​​she added.

Once Hafnium attackers compromise an organization, Microsoft said, they download data like address books and gain access to the user account database.

A person working in a Washington think tank told CNN that both his work and his personal email accounts were hit by the attackers. Microsoft sent her a warning that a foreign government was behind this. AOL sent a similar notification to the personal account.

Former SolarWinds CEO blames intern for 'solarwinds123' password leak

The person was then visited by FBI agents who appeared at his door, repeating that it was a continuous and sophisticated hack by a foreign government and that a national FBI investigation is underway.

The attackers used their unauthorized access to send emails to the person’s contacts, “sewing [the messages] so that the recipient does not doubt that I am the sender. “The attackers’ fraudulent emails sent on behalf of the person included invitations to non-existent conferences and referred to an article in their name and a book on behalf of a colleague, none of which was written by them.

Each message, the person said, came with links asking people to click on them.

“This is the real deal,” tweeted Christopher Krebs, the former director of CISA. “If your organization runs an OWA server exposed to the Internet, suppose there is a compromise between 2/26/03.”
In its own statement, CISA urged network security officials to start looking for evidence of hacks as early as September 2020.

The U.S. government’s extraordinarily public response to the incident came as a surprise to many experts, a reflection of the Biden administration’s focus on cyber issues compared to the Trump White House, as well as the scale of the threat.

“Is this the first time that the National Security Advisor has promoted a specific patch?” John Hultquist, vice president of FireEye’s Mandiant Threat Intelligence arm, asked aloud.
“When you wake up to the [National Security Advisor] and [Press Secretary] tweeting about cybernetics, ” tweeted Bailey Bickley, a spokesman for the National Security Agency, attached a “dazzled” emoji and quoted Sullivan’s tweet the night before.

Michael Conte and Oren Liebermann of CNN contributed to this report.

.Source