A week after Microsoft announced that its email server application was widely used, experts were not prompted by what they found.
“In short, it got messy,” said Katie Nickels, director of intelligence at cybersecurity firm Red Canary. “We see no signs of slowing down.”
The cyber security community came into operation after Microsoft first announced a series of vulnerabilities that could allow hackers to hack into the company’s Exchange email and calendar programs. China has used it to spy on a wide range of industries in the United States, ranging from medical research to law firms to defense contractors, the company said. China denies responsibility.
But it did not stop there. Microsoft’s announcement has complicated the situation, and attempts to fix the bugs have apparently attracted more hackers to exploit organizations that have not yet updated the software.
Nickels said she indicated that five different hacker groups, whose identities are unknown, are now exploiting it.
The list of victims is growing, said Ben Read, director of threat analysis at cyber security company Mandiant.
“It’s big,” he said. ‘We are more than 40 incidents to which we respond, just the current customers we have. We are more than 500 victims based on confirmation of probable sources. ”
Although there is no official, public list of victims, the total score is “definitely in the tens of thousands,” Read said. ‘There are definitely a lot of small, medium-sized entities. This is Exchange’s customer base. ”
A White House National Security Council spokesman said in an e-mail statement that Biden’s government had undertaken a response from the entire government to assess and address the impact.
“This is an active threat that is still evolving,” the spokesman said.
Although there have been no reports so far that any government agencies have been affected, the US Cyber Security and Infrastructure Agency, the country’s primary cyber security agency, on Wednesday exercised its emergency power to force government agencies to update to the latest version of Exchange.
In an extraordinarily candid message, the agency closed tweeted Monday night that “CISA calls on all organizations in all sectors to follow clues to address the widespread domestic and international exploitation of Microsoft Exchange Server products’ vulnerabilities.”
The cap started quietly, as a more surgical operation. Initially, the only hackers exploiting Exchange were those who identified Microsoft as Chinese spies, sometime around the beginning of the year, researchers say.
By the end of January, cybersecurity company Volexity noticed that hackers were spying on two of its customers and pointed it out to Microsoft so that it could start working on the solution of the next Exchange software update.
“They use it explicitly to steal emails,” Volexity president Steven Adair said in a phone call. “It was under the radar.”
Adair said that after he told Microsoft, he noticed a change in the activity of the hackers: they seem to realize that a patch is coming, and therefore they have some of the emails that rogue readings, trying to create footholds to stay in the networks of their victims, which they made. much more visible to cyber security defenders.
“You can not care if they shout, because you are trying to hit a patch,” he said of the hackers’ pivot. ‘You found your target with high priority, you stole emails and now you want to move on. Maybe you want to build infrastructure to launch future attacks. ‘
Nickels, of Red Canary, said hackers had begun to exploit the vulnerabilities of Exchange frantically, and it has increased since then.
“We continued over the weekend to see exploitation of these vulnerabilities,” she said. “Any organization with an Exchange server should take it very seriously.”