At least 30,000 organizations across the United States – including a significant number of small businesses, towns, cities and local governments – have been hacked in recent days by an extraordinarily aggressive Chinese cyber espionage unit focused on stealing e-mails. mail from victim organizations, several sources tell KrebsOnSecurity. The espionage group exploits four newly discovered flaws in Microsoft Exchange Server email software, and has sown hundreds of thousands of victim organizations worldwide with tools that give attackers total remote control over affected systems.
On March 2, Microsoft released emergency security updates to close four security holes in Exchange Server versions 2013 through 2019 that hackers actively used to siphon e-mail communications from Internet-targeted systems using Exchange.
In the three days since then, security experts have said that the same Chinese cyber-spying group has dramatically intensified attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders left behind a ‘web-track’, an easy-to-use, password-protected hacking tool, which is accessible via the Internet from any browser that gives the attackers administrative access to the victim’s computer servers.
Two cyber security experts who briefed U.S. national security advisers on the attack told KrebsOnSecurity that the Chinese hacking group in charge has taken control of “hundreds of thousands” of Microsoft Exchange servers worldwide – with every victim system represented. about one organization that uses Exchange to process email.
Microsoft said the Exchange flaws were being targeted by a previously unidentified Chinese hacking staff called “Hafnium”, and said the group had targeted attacks on email systems used by a range of industry sectors, including researchers from infectious diseases, law firms, higher education institutions, defense contractors, policy thinkers and NGOs.
Microsoft’s initial advice on the Exchange flaws has been attributed to Volexity-based Reston, Va., For reporting the vulnerabilities. Volexity President Steven Adair According to the company, on January 6, 2021, attackers first saw attackers exploit the Exchange bugs silently, a day when most of the world was stuck on television coverage of the riot at the US capital.
But Adair said the hacking group had switched to high gear over the past few days and was quickly searching the Internet for Exchange servers that were not yet protected by the security updates.
‘We have so far worked on dozens of cases where web shells were installed on the victim system on 28 February [before Microsoft announced its patches], to this day, ”said Adair. ‘Even if you updated the same day Microsoft released its patches, chances are there’s a web shell on your server. The truth is that if you run Exchange and you have not yet posted it, chances are your organization is already in jeopardy. ”
Reached for comment, Microsoft said it was working closely with the US Cyber Security and Infrastructure Security Agency (CISA), other government agencies and security companies, to ensure that it provides the best possible guidance and mitigation for its customers.
“The best protection is to apply updates to all affected systems as soon as possible,” a Microsoft spokesman said in a written statement. “We continue to help customers by providing additional guidance for investigation and mitigation. Affected customers should contact our support teams for additional assistance and resources. ”
Adair said today it had brought dozens of calls from state and local government agencies identifying the backdoors in their Exchange servers and pleading for help. The problem is, fixing the bugs only blocks the four different ways hackers get in. But it does nothing to undo the damage already done.
By all accounts, the intruders of these intruders will need an unprecedented and urgent nationwide cleanup effort. Adair and others say they are concerned that the longer it takes for victims to remove the backdoors, the greater the chance that the intruders will follow it up by installing additional backdoors, and perhaps extend the attack to other parts of the network infrastructure. of the victim. .
Security researchers have released a tool on Microsoft’s Github code repository that allows anyone to search the Internet for Exchange servers infected with the backdoor shell.
KrebsOnSecurity has seen sections of a list of victims compiled using this tool, and it’s not a pretty picture. The backdoor web cover is on the networks of thousands of U.S. organizations, including banks, credit unions, nonprofits, telecommunications providers, public utilities, and police, fire and rescue services.
“These are police departments, hospitals, tons of city and state governments and credit unions,” said a source who works closely with federal officials. “Almost everyone who offered Outlook Web Access and did not patch it a few days ago had a zero-day attack.”
Another government cyber security expert who took part in a recent call with several stakeholders affected by this hacking is worried that the clean-up effort is going to be Herculean.
“There have been many questions from school districts or local governments that all need help,” the source said, saying on condition that they are not identified by name. ‘If these numbers are thousands, how is the response to the incident done? There just aren’t enough input teams to do it fast. ”
When it unveiled patches for the four Exchange Server shortcomings on Tuesday, Microsoft stressed that the vulnerability does not affect customers who operate its Exchange Online service (Microsoft’s enterprise cloud email address). According to sources, the vast majority of the organizations that have been victimized so far have some form of Internet-oriented Microsoft Outlook Web Access (OWA) email systems with the Exchange servers internally.
“This is a question worth asking, what is going to be Microsoft’s recommendation?” The cyber security expert said. ‘They will say’ Patch, but it’s better to go to the cloud. ‘But how do they secure their non-cloud products? Let them wither on the vine. ”
The government’s cyber security expert said that these most recent attacks were not characteristic of the type of intrusion on the national state, which is usually attributed to China, which tends to harm specific strategic targets.
“It’s reckless,” the source said. “Chinese state actors outside the character seem so indiscriminate.”]
Microsoft said Hafnium’s attacks on vulnerable Exchange servers were in no way related to the separate attacks targeting SolarWinds, in which a suspected Russian intelligence group installed backdoors in network management programs used by more than 18,000 organizations.
“We still see no evidence that the actor behind SolarWinds has discovered or exploited any vulnerabilities in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days can greatly obscure the damage done by the intruders of SolarWinds.
This is a fast-moving story and will likely be updated several times throughout the day. Stay tuned.
Tags: Hafnium, Microsoft Exchange Server Error, Steven Adair, Volexity
This entry was posted on Friday, March 5th, 2021 at 4:07 pm and is filed under the latest alerts, The Coming Storm, Time to Patch. You can follow any comments on this entry through the RSS 2.0 feed. You can go to the end and leave a comment. Ping is currently not allowed.