When news hits earlier this week that Chinese hackers were actively targeting Microsoft Exchange servers, the cyber security community warned that the zero-day vulnerabilities they use would enable them to hit numerous organizations around the world. Now it clearly becomes just a lot of email servers that have hacked them. In all likelihood, the group known as Hafnium transgressed as many victims as they could find on the internet, leaving behind backdoors to return to later.
Hafnium has now exploited the zero-day vulnerabilities in the Outlook Web Access of Microsoft’s Exchange servers to insignificantly compromise no less than tens of thousands of email servers, according to sources familiar with the investigation into the hacking campaign that spoke to WIRED. The intruders, first spotted by security firm Volexity, had already started on January 6, with a noticeable rise starting last Friday and rising early in the week. The hackers appear to be responding to Microsoft’s patch, which was released on Tuesday by rushing and automating their hacking campaign. One security researcher involved in the investigation, who spoke to WIRED about the condition of anonymity, put the number of hacked Exchange servers at more than 30,000 in the US alone, and hundreds of thousands worldwide, all apparently by the same group. Independent cyber security journalist Brian Krebs reported for the first time that 30,000 mentioned it on Friday, citing sources who informed national security officials.
“This is massive. Completely massive,” a former national security official with knowledge of the investigation told WIRED. “We’re talking about thousands of servers being compromised hourly worldwide.”
White House Press Secretary Jen Psaki warned at a news conference Friday afternoon that anyone running the Exchange servers involved should immediately implement Microsoft’s vulnerability patch. “We are concerned that there are a large number of victims and are working with our partners to understand the extent of this,” Psaki said in a rare case of a White House press secretary commenting on specific cybersecurity vulnerabilities. “Network owners should also consider whether they have already been compromised and take the necessary steps immediately.” The White House’s advice reflects a tweet from former director of the Cybersecurity and Infrastructure Security Agency, Chris Krebs, on Thursday night advised anyone with an exposed Exchange server to ‘compromise’ and start responding to incidents to remove access to the hackers.
The affected networks, which probably also include those of small and medium-sized organizations, more than the large enterprises that tend to use cloud-based email systems, were apparently hacked without automation through automated scanning. The hackers planted a ‘web tracking’ – a remotely accessible, web-based backdoor trap – on the Exchange servers they used, so that they could perform scans on the target machines and possibly to other computers on the network. go.
This means that only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by Chinese hackers, says Steven Adair, founder of Volexity. Nevertheless, any organization that does not bother to remove the back door of the hackers remains, and the hackers can re-enter their networks to steal data or cause chaos until the web shell is removed. “A massive, large number of organizations are gaining first foothold,” says Adair. “It’s a ticking time bomb that can be used against them at any time.”
Although the vast majority of intrusions appear to have consisted solely of webcams, the ‘astronomical’ scale of global compromises is uniquely disturbing, one security researcher who took part in the investigation told WIRED. The small to medium-sized organizations that have been compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports and prisons. “China only owned the world – or at least everyone with Outlook Web Access,” the researcher said. ‘When was the last time someone was so bold as to just hit everyone? “