The emergency security solution that Microsoft introduced a few days ago to fix four zero-day errors in Exchange Server did not deter the intruder using it. In fact according to Cancer crabs and Wired, the Chinese state-backed group, Hafnium, came up with the name Hafnium, automating its campaign after the patch was released. In the U.S., the group infiltrated at least 30,000 organizations that used Exchange to process email, including police departments, hospitals, local governments, banks, credit unions, nonprofits and telecommunications providers. Worldwide, the number of victims is believed to be hundreds of thousands.
“Almost everyone who offered Outlook Web Access themselves and was not patched a few days ago had a zero-day attack,” said a source. Cancer. A former national security officer Wired talked to thousands of servers per hour being compromised around the world. When Microsoft announced its emergency solution, it credited security firm Volexity for notifying Hafnium of its activities. Volexity president Steven Adair has now said that even organizations that patched their servers on the day of the release of Microsoft’s security update may still be compromised.
Furthermore, the patch will only fix the vulnerabilities of Exchange Server – those who have already been compromised will still need to remove the backdoor that the group has planted in their systems. Hafnium exploits the flaws of planting ‘web shells’ on their victims’ servers, giving them administrative access that they can use to steal information. According to Cancer, Adair and other security experts are concerned about the possibility of the intruders installing additional back doors as the victims work to remove those already in place.
Microsoft has made it clear from the outset that these operations have nothing to do with SolarWinds. That said, the activities of Hafnium could dwarf the SolarWinds attacks when it comes to the number of victims. Authorities estimate that approximately 18,000 businesses were affected by the SolarWinds infringement because it was the number of customers who downloaded the malicious software update. As Wired Hafnium’s activities, however, focus on small and medium-sized organizations, where the SolarWinds hackers have infiltrated and technology giants and large U.S. government agencies.
When Microsoft asked him about the situation Cancer that it is working closely with the U.S. Agency for Cyber Security and Infrastructure Security, along with other government agencies and security companies, to provide its clients with ‘additional guidance for investigation and mitigation’.
So, what are you doing now? (1) patch (if you have not already done so), (2) assume you are in possession, seek activity, (3) if you are unable to hunt or can not find a team to hunt help, disconnect and rebuild, (4) go to the cloud, (5) pour one out for IR teams, they had a tough year.
– Chris Krebs (@C_C_Krebs) 6 March 2021