Internet security responders work 24 hours a day to sharpen affected networks last week’s hack of Microsoft’s Exchange email service an attack that has affected hundreds of thousands of organizations worldwide.
The White House on Friday urged the victims to upload systems and stressed the urgency: the window for updating systems can be ‘measured’ in hours, not days, a senior administration official said.
“This is a crazy huge hack,” said Christopher Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA). tweeted last week.
The drop of the hood is still being measured. President Joe Biden was briefed on the attack and discussed it during a summit with leaders from India, Japan and Australia, National Security Adviser Jake Sullivan said. The National Security Council has formed a government task force with multiple agencies to address the massive offense.
The breach follows the Russian-linked hack last year, which uses SolarWinds software to spread a virus across 18,000 government and private computer networks.
Nathan Ellgren / AP
“Solarwinds was bad. But the mass hacking that is taking place here is literally the biggest hack I’ve seen in my fifteen years, “said David Kennedy, CEO of cybersecurity firm TrustedSec. In this particular case, there was no rhyme or reason for who [attackers] chopped. It literally hacked everyone in this short time and caused as much pandemonium and chaos as possible. ‘
Here’s what you need to know about using Microsoft Exchange:
When did the attack start?
Hackers targeted Exchange servers in early January, according to cybersecurity firm Volexity, which Microsoft recognizes for identifying initial exploits.
According to Microsoft Vice President Tom Burt, hackers first gain access to an Exchange Server with stolen passwords, or by using the previously undiscovered vulnerabilities used to ‘disguise themselves as someone who needs access’. Using webcams, hackers controlled remote remote servers – based on private servers in the United States – to steal data from a victim’s network.
Who is behind the attack?
Microsoft has identified a Chinese group known as ‘Hafnium’ as the lead actor for initial attacks.
The Hafnium group has a historical focus on infectious disease researchers, law firms, higher education institutions, defense contractors, policy thinkers and non-governmental organizations, ‘Burt wrote in a company blog post.
Omar Marques / SOPA Images / Sipa USA via AP Images
How did Microsoft respond?
Microsoft released the vulnerabilities on March 2 and released ‘patches’ for various versions of Exchange. While Microsoft usually announces updates on the second Tuesday of each month – known as ‘Patch Tuesday’, the announcement on the first Tuesday of the month is an indication of urgency.
Days later, the company also took the unusual step of releasing security programs for outdated versions of Exchange Server.
A Microsoft spokesman told CBS News that the company works closely with CISA, other government agencies and security companies. In a statement provided to CBS News last week, the company said: “The best protection is to apply updates as soon as possible to all affected systems. We continue to help customers by providing additional guidelines for investigation and mitigation. Affected customers should contact our support teams for additional assistance and resources. ”
How did the attack develop?
Experts believe that it is common for hackers to accelerate an attack immediately before a solution, but that the pace in this case was much faster. “Once a patch is on hand, [hackers] can become a wider exploitation, because there is the factor ‘use it or lose’, ‘says Ben Read, director of threat analysis at cyber security company Mandiant.
But in late February, a few days before Microsoft announced its security level, security researchers saw an automated second-wave attack targeting victims in the industry.
“They got very aggressive and in fact hacked everyone,” Kennedy said. Hackers planted backdoors, known as ‘web shells’, in systems and launched an attack on organizations “without rhyme or reason.” Kennedy added: “We have not seen it from China yet.”
Microsoft said Friday that they are investigating whether attackers were given a tip that a patch was on hand. The internal investigation focuses on ‘what could have led to malicious activity at the end of February’, but investigators have not yet drawn any conclusions. “We have not seen any indication of a leak from Microsoft related to this attack,” a Microsoft spokesman told CBS News.
What did the hackers want?
The purpose of the hackers is unclear. “Tens of thousands of targets, most of which actually have no intelligence value,” Read said. “These are just small towns and local businesses. Their information probably has no value to the Chinese government.” Read called the ‘level of mass exploitation’ of casual bystanders a ‘very rare’ display of power.
And what began as a crackdown on Chinese hackers soon gave way to a feeding frenzy of criminal gangs in other countries, including Russia.
At least ten criminal espionage groups have exploited the flaws in the Exchange Server email program worldwide, antivirus firm ESET said in a blog post on Wednesday.
Who is targeted?
Cybersecurity experts tell CBS News that tens of thousands of private and public U.S. entities have been affected. “Initially, early estimates cut 30,000 people. We see a number that is much higher now,” Kennedy said. “Worldwide, it’s definitely in the hundreds of thousands of servers hacked.”
The list of victims worldwide continues to grow and includes schools, hospitals, cities and pharmacies. Cybersecurity firm CyberEye identified a variety of victims, including retailers in the U.S., local governments, a university and an engineering firm, in a blog post.
The European Banking Authority, the EU banking regulator, has announced that it has been hit.
The attack largely disappeared from Fortune-500 companies and large organizations that migrated their servers to Microsoft Exchange Online – Microsoft’s cloud-based email and calendar service. But the widespread attack will be painful for smaller businesses that run Microsoft wallets on their servers and can afford the best security.
“By far the most important victims are small and medium-sized businesses that do not follow everyday security news, and they may not know that there is a big problem,” said Katie Nickels, director of intelligence at cybersecurity firm Red Canary. CBS News. She added that notifying victims poses a “major challenge” given the large number of organizations affected. “The thing that worries me the most is everyone we don’t see,” she said.
Has the federal government been violated?
Officials have not confirmed any violations by federal agencies, Eric Goldstein, executive assistant director of CISA’s cyber security division, told lawmakers last week. “At this stage, there are no federal civic agencies endangered by this campaign.”
But National Security Adviser Jake Sullivan said Friday the federal government is still trying to determine the extent and extent of the cap.
The Cyber Security and Infrastructure Agency (CISA) said the breach “posed an unacceptable risk to Federal Civilian Executive agencies,” and issued an emergency directive on March 2 directing that all agencies immediately patch or disconnect Exchange Server if affected.
What is the risk?
Cyber security firms say they have begun to see hackers stealing network passwords and installing malware for mining cryptocurrency on servers.
And Microsoft said in a late night tweet On Thursday, it detected a new type of “ransomware” – a type of malicious software designed to block access to a computer until the victim pays a sum of money.
Although companies may assume that their system has been fixed as soon as they install the Microsoft security solution, the attackers are not expelled from the servers, making organizations that have already been hacked susceptible to further exploitation.
“There is also a lot of concern now that China is going to sell these accounts” to bad actors, including “authors of ransomware to do as much damage as possible,” Kennedy said. “So this is a very critical period for us.”
Is it linked to Solarwinds?
The latest attack is unrelated to SolarWinds’ breach last year, though the timing of two large, consecutive hackers has hampered its ability to respond.
“The big impact on the industry is timing,” Nickels said. “We’re been in a pandemic for a year. People work remotely, and they’re exhausted and stressed.”
U.S. officials told CBS News that although the SolarWinds hack had more consequences for national security, as hackers had nine federal agencies in the attack, the attack by Microsoft is much broader.
“It’s definitely bigger than Solar Winds,” Kennedy said. ‘While [SolarWinds] was bad, it did not hit nearly the width of systems here. ‘
“This hack is very noisy and much easier to detect, but the scale makes it so worrying,” Nickels said.
Senior White House officials told reporters on Friday that the Biden government would announce executive action in the wake of the SolarWinds attack. The White House also unveiled a new executive order on cyber in the ‘next few weeks’, which includes a proposal to give letter-grade cyber-security ratings to software vendors used by the federal government.
It remains unclear whether the upcoming cyber-management will also address the risks posed by the latest Microsoft Exchange hack.
Both Russian and Chinese officials have denied responsibility. Last week, Foreign Ministry spokesman Wang Wenbin said China strongly opposes and fights cyber attacks and cyber theft in all its forms.
Margaret Brennan contributed to this report.