At least 30,000 organizations across the United States – including a significant number of small businesses, cities and local governments – have been hacked over the past few days by an unusually aggressive Chinese cyber espionage unit that focuses on stealing email from victims’ organizations, several sources say. KrebsOnSecurity. The espionage group exploits four newly discovered shortcomings in Microsoft Exchange Server email software and has sown hundreds of thousands of victim organizations around the world with tools that give attackers total remote control over affected systems.
On March 2, Microsoft released emergency security updates to connect four security holes in Exchange Server versions 2013 through 2019, which hackers actively used to siphon e-mail communications from Internet-enabled systems running Exchange.
In the three days since then, security experts say that the same Chinese cyber espionage group has dramatically intensified attacks on vulnerable, unpatched Exchange servers around the world.
In each incident, uninvited guests have left a “web shell”, a user-friendly, password-protected hacking tool that can be accessed over the Internet from any browser, giving attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cyber security experts who have informed US national security advisers about the attack told KrebsOnSecurity that the Chinese hacking group believed to be responsible has taken control of “hundreds of thousands” of Microsoft Exchange servers around the world – where each sacrificial system represents approximately one organization that uses Exchange to process email.
Microsoft said the Exchange shortcomings were targeted by a previously unidentified Chinese hacking crew member who called it “Hafnium” and said the group had carried out targeted attacks on email systems used by a number of industry sectors, including infectious disease researchers, law firms , higher education institutions, defense contractors, political think tanks and NGOs.
Microsoft’s first advice on Exchange shortcomings credited Reston, Va. Based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploit Exchange bugs on January 6, 2021, a day when most of the world was glued to TV coverage of the riots at the US Capitol.
But Adair said the hacking team has shifted into high gear over the past few days and is moving fast to scan the Internet for Exchange servers that were not yet protected by these security updates.
“So far, we have been working on dozens of cases where net shells were put on the victim system back on 28 February. [before Microsoft announced its patches], all the way up to today, ”said Adair. “Even if you patched the same day that Microsoft released its patches, there’s still a good chance there’s a web shell on your server. The truth is that if you are running Exchange and you have not patched this yet, there is a very high chance that your organization is already compromised. ”
Reached the comment Microsoft said it works closely with US Cybersecurity & Infrastructure Security Agency (CISA), other public agencies and security companies to ensure that it provides the best possible guidance and mitigation for its clients.
“The best protection is to apply updates as quickly as possible to all affected systems,” a Microsoft spokesman said in a written statement. “We continue to help customers by providing additional guidance for investigation and mitigation. Affected customers should contact our support team for further assistance and resources. ”
Adair said he has sent dozens of calls today from state and local government agencies who have identified the backdoors on their Exchange servers and are asking for help. The problem is that patch flaws only block the four different ways hackers use to get in. But it does nothing to undo the damage that may have already been done.
By all accounts, the rollout of these uninvited guests will require an unprecedented and urgent nationwide clean-up effort. Adair and others say they are concerned that the longer it takes for victims to remove the back doors, the more likely it is that uninvited guests will follow up by installing additional back doors and perhaps extend the attack to other parts of the victim’s network infrastructure.
Security researchers have released a tool on Microsoft’s Github code repository that lets anyone scan the Internet for Exchange servers that have been infected with the backdoor shell.
KrebsOnSecurity has seen parts of a victim list compiled by running this tool and it is not a pretty picture. The backdoor shell is verifiably present on the network of thousands of U.S. organizations, including banks, credit unions, nonprofits, telecommunications providers, utilities, and police, fire and rescue services.
“It’s police departments, hospitals, lots of city and state governments and credit unions,” said a source working closely with federal officials on the matter. “Almost everyone who runs Outlook Web Access with their own host and was not patched a few days ago was hit with a zero-day attack.”
Another government cyber security expert who participated in a recent call with several stakeholders affected by this hacking is concerned that the required cleanup effort will be herculean.
“During the call, there were many questions from school districts or local authorities, all of which need help,” the source said, speaking on condition that they were not identified by name. “If these numbers are in the tens of thousands, how is the event response done? There just aren’t enough incident response teams out there to do it fast. ”
When it released patches for the four Exchange Server bugs on Tuesday, Microsoft stressed that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted business email). But sources say that the vast majority of organizations that have been victims so far run some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems along with Exchange servers internally.
“This is a question worth asking, what will Microsoft’s recommendation be?” Said the public cyber security expert. “They will say ‘Patch, but it’s better to go to the cloud.’ But how do they secure their non-cloud products? Let them wither on the vine. ”
The government’s cybersecurity expert said this latest round of attacks is uncharacteristic of the kind of nation-state hacking typically attributed to China, which tends to be rather focused on compromising specific strategic goals.
“It’s ruthless,” the source said. “It seems that the Chinese state actors are so characteristic.”]
Microsoft has said that Hafnium’s hacking of vulnerable Exchange servers is in no way linked to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We still see no evidence that the actor behind SolarWinds discovered or exploited any vulnerabilities in Microsoft products and services,” the company said.
Nevertheless, the events of the last few days may very well end up darkening the damage to SolarWinds intruders.
This is a quick move and will likely be updated several times during the day. Stick around.
Brands: Hafnium, Microsoft Exchange Server Error, Steven Adair, Volexity
This entry was posted on Friday, March 5th, 2021 at 16:07 and is archived under latest warnings, the coming storm, time for patch. You can follow any comments on this post through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.