White House warns of ‘active threat’ by Microsoft email hackers

White House warns of ‘active threat’ by Microsoft email hackers

by

“This is an active threat,” White House press secretary Jen Psaki said Friday. “Everyone who runs these servers – the government, the private sector, the academy – must now take action to restore it.”

Psaki’s warnings follow a tweet by National Security Adviser Jake Sullivan on Thursday night underlined how concerned the Biden government is. He urged IT administrators nationwide to install software fixes immediately. Sullivan said the U.S. government was monitoring reports that U.S. think tanks were threatened by the attack, as well as “defense industry base entities.”

Later on Friday, the Cybersecurity and Infrastructure Security Agency underlined the risk in extraordinarily clear language and said in a tweet that the malicious activity, if left unchecked, could enable an attacker to take control of an entire enterprise network. to get.’ ‘

In a rare move, White House officials called on private sector organizations that manage localized installations of Microsoft Exchange server software to install several critical updates that were introduced in what information security experts describe as an emergency release.

Microsoft says a group of cyberattacks linked to China hit its Exchange email servers
Cybersecurity firm FireEye said Thursday it has already identified a number of specific victims, including “U.S. merchants, local governments, a university and an engineering firm.”

Pentagon press secretary John Kirby told reporters on Friday that the Department of Defense was currently working to determine if the vulnerability had been adversely affected.

“We are aware of it and we judge it,” Kirby said. “And that’s really as far as I can go now.”

Microsoft announced this week that it has become aware of several vulnerabilities in its server software that are being exploited by suspected Chinese hackers. In the past, Microsoft has said that the responsible hacker group – which Microsoft calls Hafnium – goes after “infectious disease researchers, law firms, higher education institutions, defense contractors, policy thinkers and non-governmental organizations.” According to Microsoft, the group in question has not been previously identified to the public.
The announcement was the latest information security crisis to hit the U.S. after FireEye, Microsoft and others reported a suspected Russian hacking campaign that began by infiltrating IT software company SolarWinds. This effort has led to the compromise of at least nine federal agencies and dozens of private enterprises.

But the malicious activity revealed this week has nothing to do with the SolarWinds cap, Microsoft said on Tuesday.

Microsoft usually releases software updates on the second Tuesday of each month. But in a sign of the seriousness of the threat, Microsoft published the spots a week earlier to address the new vulnerabilities – which have never been detected until now.

‘We call on network operators to take it very seriously’

The Department of Homeland Security also issued an emergency guideline on Tuesday requiring federal agencies to update or disconnect their servers. This is only the sixth such assignment since the inception of CISA in 2015, and the second in three months.

“We call on network operators to take this very seriously,” Psaki said of the directive. The administration is there as a ‘large number of victims’, she added.

Once the Hafnium attackers endangered an organization, Microsoft said it was known to download data such as address books and access its user account database.

One person working at a think tank in Washington told CNN that her work and personal email accounts had been hit by the attackers. Microsoft sent her a warning that a foreign government was behind it. AOL sent a similar notification for the personal account.

Former CEO of SolarWinds blames internally for password leak 'solarwinds123'

The person was then visited by FBI agents who showed up at her doorstep and reiterated that it was indeed an ongoing, sophisticated hack by a foreign government and that a nationwide FBI investigation was underway.

The attackers used their unauthorized access to email the person’s contacts [the messages] in a way that the recipient will not doubt that I am the sender. ‘The fraudulent emails of the attackers sent in the person’s name included invitations to non-existent conferences and referred to an article in her name and a book in the name of a colleague, none of which written by them.

According to the person, every message has links asking people to click on it.

“This is the right thing to do,” Christopher Krebs tweeted, the former CISA director. “If your organization runs an OWA server that is exposed to the Internet, accept a compromise between 02 / 26-03 / 03.”
In its own opinion, CISA encouraged network security officers to start looking for evidence of intrusions as early as September 2020.

The U.S. government’s extraordinary public response to the incident came as a surprise to many experts, reflecting the Biden government’s focus on cyber issues compared to the Trump White House, as well as the scale of the threat.

“Is this the first time the National Security Adviser has promoted a specific patch?” John Hultquist, Vice President of FireEye’s Mandiant Threat Intelligence Arm, wonder aloud.
“When you wake up with the [National Security Advisor] and [Press Secretary] tweet about cyber, ” tweeted Bailey Bickley, a top spokesperson for the National Security Agency, adds a “starstruck” emoji and quotes Sullivan’s tweet from the previous night.

CNN’s Michael Conte and Oren Liebermann contributed to this report.

.Source