According to a report by four large companies found in Microsoft’s Exchange Server software, more than 30,000 US governmental and commercial organizations have been hacked into their emails. KrebsOnSecurity. Wired also reports that “tens of thousands of email servers” have been hacked. The benefits have been patched by Microsoft, but security experts are talking to Cancer says the detection and clean-up process will be a major effort for thousands of state and city governments, fire and police departments, school districts, financial institutions and other organizations affected.
According to Microsoft, hackers allowed access to email accounts through the vulnerabilities, and also gave them the ability to install malware that they could later return to those servers.
Cancer and Wired reported that the attack was carried out by Hafnium, a Chinese burglary group. Although Microsoft did not speak to the extent of the attack, it also points to the same group that exploited the vulnerabilities, saying they have “a lot of confidence” that the group is sponsored by the state.
According to KrebsOnSecurity, the attack has been going on since January 6 (the day of the riots) but increased at the end of February. Microsoft released its stickers on March 2, meaning the attackers had nearly two months to carry out their operations. The president of the cyber security firm Volexity, which discovered the attack, says Cancer that “if you run Exchange and you have not yet patched it, chances are your organization is already in jeopardy.”
Both White House National Security Advisor Jake Sullivan and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs KrebsOnSecurity) tweeted about the seriousness of the incident.
This is the right thing to do. If your organization runs an OWA server exposed to the Internet, accept a compromise between 02 / 26-03 / 03. Look for 8 character aspx files in C: \ inetpub wwwroot aspnet_client system_web . If you get a hit on the search, you are now in a response mode. https://t.co/865Q8cc1Rm
– Chris Krebs (@C_C_Krebs) 5 March 2021
Microsoft has released several security updates to resolve the vulnerabilities and suggests that they be installed immediately. Please note that if your organization uses Exchange Online, it will not be affected – exploitation was first present self-host servers using Exchange Server 2013, 2016 or 2019.
While a large-scale attack, likely by a state-run organization, may sound familiar, Microsoft is clear that the attacks are “in no way related” to the SolarWinds attacks that endangered U.S. federal government agencies and businesses last year.
It is likely that there are still details to come about this hack – so far there has been no official list of organizations that have been compromised, just a vague picture of the scope and severity of the attack.
A Microsoft spokesman said the company ‘work closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies and security companies, to ensure that we provide the best possible guidance and mitigation for our customers, ” and that “[t]The best protection is to apply updates to all affected systems as soon as possible. ”