Four benefits found in Microsoft’s Exchange Server software have reportedly led to more than 30,000 U.S. government and commercial organizations hacking their emails, according to a report of KrebsOnSecurity. Wired is also reporting “Tens of thousands of email servers” hacked. The benefits have been patched by Microsoft, but security experts are talking about it Cancer says the detection and clean-up process will be a major effort for thousands of state and city governments, fire and police departments, school districts, financial institutions and other organizations affected.
According to Microsoft, hackers allowed access to email accounts through the vulnerabilities, and also gave them the ability to install malware that they could later return to those servers.
Cancer and Wired reported that the attack was carried out by Hafnium, a Chinese burglary group. Although Microsoft did not speak according to the extent of the attack, it also points to the same group as exploiting the vulnerabilities and saying that they have ‘a lot of confidence’ that the group will be sponsored by the state.
According to KrebsOnSecurity, the attack has been going on since January 6 (the day of the riots) but increased at the end of February. Microsoft released its stickers on March 2, meaning the attackers had nearly two months to carry out their operations. The president of the cyber security firm Volexity, which discovered the attack, says Cancer that “if you run Exchange and you have not yet patched it, chances are your organization is already in jeopardy.”
Both White House National Security Advisor, Jake Sullivan, and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs (unrelated to KrebsOnSecurity) tweeted about the seriousness of the incident.
This is the right thing to do. If your organization runs an OWA server exposed to the internet, accept a compromise between 02 / 26-03 / 03. Look for 8 character aspx files in C: \ inetpub wwwroot aspnet_client system_web . If you get a hit on the search, you are now in a response mode. https://t.co/865Q8cc1Rm
– Chris Krebs (@C_C_Krebs) 5 March 2021
Microsoft released several security updates to resolve the vulnerabilities, and suggest that they be installed immediately. It is noteworthy that, if your organization uses Exchange Online, it would not be affected – the exploitation was first present self-host servers using Exchange Server 2013, 2016 or 2019.
Although a large-scale attack, probably by a state-run organization, may sound familiar, Microsoft is clear that the attacks were “in no way linked” to the SolarWinds attacks that endangered U.S. federal government agencies and businesses last year.
It is likely that there are still details to come about this hack – so far there has not been an official list of organizations that have been compromised, just a vague picture of the scope and severity of the attack.
A Microsoft spokesman said the company ‘work closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies and security companies, to ensure that we provide the best possible guidance and mitigation for our customers, ” and that “[t]He is the best protection to apply updates to all affected systems as soon as possible. ”