A week after Microsoft announced that its widely used email server program was hacked, experts are not encouraged by what they have found.
“In short, it was very confusing,” said Katie Nickels, director of intelligence at cybersecurity company Red Canary. “We are not seeing signs of a slowdown.”
The cybersecurity community took action after Microsoft first announced a number of vulnerabilities that allow hackers to break into the company’s Exchange email and calendar programs. China used it to spy on a wide range of industries in the United States, from medical research to law firms and defense companies, the company said. China has denied responsibility.
But it did not stop there. Microsoft’s announcement complicated the situation, with efforts to fix the flaws that appear to have attracted more hackers to exploit organizations that have not yet updated the software.
Nickels said he saw evidence that five different groups of hackers, whose identities are unknown, were exploiting him.
The list of victims is growing, said Ben Read, director of threat analysis at cybersecurity company Mandiant.
“It’s big,” he said. “We are responding to more than 40 incidents, just the current customers that we have. We are at more than 500 likely victims based on confirmation from probable sources. “
While there is no official public list of victims, the full count is “definitely in the tens of thousands,” Read said. “There are definitely many small and medium sized entities. This is the Exchange customer base. “
A spokesman for the White House’s National Security Council said in an emailed statement that the Biden government “is undertaking a government-wide response to assess and deal with the impact”.
“This is an active threat still in development,” said the spokesman.
While there have been no reports so far that any government agency has been affected, the US Cyber Security and Infrastructure Agency, the nation’s top cyber security agency, on Wednesday exercised its emergency powers to force government agencies to upgrade to the latest version of Exchange.
In an exceptionally sincere message, the agency then tweeted Monday evening that “CISA urges ALL organizations in ALL sectors to follow the guidelines for addressing widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities.”
The hack started quietly, as a more surgical operation. Initially, the only hackers who exploited Exchange were those that Microsoft identified as Chinese spies, around the beginning of the year, the researchers say.
Towards the end of January, cybersecurity company Volexity noticed hackers spying on two of its customers and alerted Microsoft so it could start working on a fix for its next Exchange software update.
“They were using it explicitly to steal emails,” said Volexity President Steven Adair in a phone call. “It was off the radar.”
Adair said that after telling Microsoft, he noticed a change in hackers ‘activity: they seemed to notice that a fix was coming, so they went from sneaking e-mails to trying to create support points to stay on their victims’ networks, which made them much more visible to cybersecurity advocates.
“You don’t care if they’re noisy, because you’re trying to beat a patch,” he said of the hacker’s pivot. “You have found your high priority targets, you have been stealing emails and now you want to move on. You may want to build an infrastructure to launch future attacks. “
Nickels of Red Canary said that hackers began frantically exploiting Exchange vulnerabilities in late February, and that has increased since then.
“We continue to see exploitation of these vulnerabilities over the weekend,” she said. “Any organization with an Exchange server needs to take this very seriously.”