Last week, Microsoft announced that the local version of its widely used e-mail and calendar product Exchange had several previously unknown security flaws. According to the company, these errors are used by actors of foreign threats to tune into the networks of US companies and governments, mainly to steal large amounts of email data. Since then, the primary question in everyone’s mind has been: how bad is it?
The short answer is: Itis quite bad
So far descriptors as “crazy big, ”“astronomical, “En”extremely aggressiveLooks like it’s right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of US businesses have implanted malicious backdoors into their systems. Anonymous sources close to the investigation have repeatedly told reporters somewhere about 30,000 U.S. organizations have been compromised because of the security shortcomings (if correct, these numbers officially disappear SolarWinds, which according to the White House has led to a compromise of about 18,000 institutions in the country and nine federal agencies). The number of global businesses compromised can be much greater. A Source recently told Bloomberg that there are “at least 60,000 known victims worldwide.
Even more problematic, some researchers have said that since the public disclosure of the Exchange vulnerabilities, it would appear that the attacks on the product have accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an increase in activity over the past week.
“From the beginning, we expected that efforts to exploit these vulnerabilities would increase rapidly, and that is exactly what we are seeing now – so far we have observed such attacks in essentially more than a hundred countries in virtually every world.” Ivanov told Gizmodo. ‘Although the initial attacks were targeted, there is no reason for actors not to try their luck by attacking essentially any organization running a vulnerable server. These attacks are associated with a high risk of data theft or even attacks on ransomware, and therefore organizations need to take protective measures as soon as possible. ‘
G / O Media can get a commission
How do the attacks happen?
Microsoft Exchange Server is available in two formats, which has caused confusion about the systems at risk: there is a local product and a software-as-a-service cloud product. The cloud product, Exchange Online, is reportedly not affected by the security flaws. As said before, it is the local products that are mined. Other Microsoft email products are not believed to be vulnerable. As CISA said“It is not currently known whether the vulnerabilities or the identified exploitation activity are affecting Microsoft 365 or Azure Cloud implementations.”
There are four vulnerabilities in local Exchange servers who are actively exploited (see: here, here, here, en here). Three other security-related vulnerabilities exist, but say authorities these have not yet seen active exploitation of this (see: here, here, en here.) Patches can be found on Microsoft’s websitehowever, as we will go into more detail later, there were problems with proper deployment.
So far, Microsoft has mainly blamed a threat actor named “HAFNIUM” for the intrusion into Exchange. It is said that HAFNIUM is a group sponsored by the state and whose working method involves the security flaws being used to use web shells – malicious scripts that can serve as backdoors in systems. With these webcaps, remote hackers can gain access to servers, and then filter out large chunks of email data – including entire mailboxes. The purpose of HAFNIUM seems to be to gather intelligence. Although the group is believed to be based in China, the Chinese government has denied any responsibility.
However, security researchers say it is almost certain that other threat factors will also be exploitation of the vulnerabilities. The security firm Red Canary reported over the weekend that they had observed several activity groups targeting Exchange servers and that organizations should not assume that they are necessarily targeted by HAFNIUM – it could be someone else.. “Based on our visibility and that of researchers from Microsoft, FireEye, and others, there are at least 5 different groups of activities that appear to be exploiting the vulnerabilities,” the Red Canary researcher said. Katie Nickels on Saturday.
Who gets hit
Due to the widespread use of Exchange, many different types of entities are at risk. Some large organizations – including the European Banking Authority—Have announced any violations. It is unknown at this time what he will do after leaving the post. affected, although numerous agencies—including the Pentagon– currently going through their own networks to investigate whether they have been compromised.
Security investigators expressed concern about smaller size entities – specifically city and country governments and small and medium-sized enterprises – which they say are more at risk. In North Dakota, the state government recently recognized that HAFNIUM targeted it and that it is investigating whether Chinese hackers stole data.
Lior Div, CEO of security firm Cybereason, said smaller businesses in particular were at risk of being compromised by the campaigns. Div highlights the potential impact this hack could have on local economies in the event that the attacks are more destructive than invasive:
‘The latest attack on Microsoft Exchange is a thousand times more devastating [than SolarWinds] because the Chinese attackers targeted SMEs [small and medium size enterprises], the lifeblood of the US economy and the driver of the world economy, ”Div said in an email. ‘SMEs have been most affected by the COVID-19 pandemic, with millions of businesses around the world. And just as we are starting to turn around after a devastating year, this attack on SMEs is being launched. This attack is possibly even more damaging because SMEs usually do not have such a robust security position in place, enabling threat actors to prey on the weak and thus drive strong revenue streams. ”
What is being done?
The White House announced late Sunday that it would put together a task force to investigate the extent of the hack. This reaction however, could be delayed by the fact that the Biden government is already responding to the SolarWinds hack (the White House is currently inflicting covert cyber operations and sanctions against Russia because of its alleged role in the attacks).
As noted above, Microsoft has released patches for these vulnerabilities – but these patches have had issues. A Microsoft spokesman said on Thursday that the patches appeared to work in some cases but could not repair the vulnerability. A full breakdown of the problem can be found on Microsoft’s website.
Organizations are warned not to just patch vulnerabilities but must also investigate whether there has already been compromise. Microsoft announced resources to help with that. It reached out an update of it Safety Scanner (MSERT) Tool which can help identify webpages deployed against Exchange servers. MSERT is an anti-malware tool that scans, identifies and removes malware on a system.
Unlike coastalon defense and inspection systems for indications of compromise, not much can be done at this stage. As with SolarWinds, Americans will probably just have to sit and wait. It will definitely take time to understand how big the damage is.