At least 30,000 organizations across the United States, including many small businesses, cities, towns and local governments in the past few days have been hacked by an unusually aggressive Chinese cyber espionage that has focused on stealing email from organizations. Many victims The source tells KrebsOnSecurity The espionage group is taking advantage of four newfound flaws in the Microsoft Exchange Server Email software and has cultivated hundreds of thousands of victim organizations around the world with tools that enable attackers to remotely control all affected systems.
On March 2, Microsoft released an emergency security update to plug four security vulnerabilities in Exchange Server versions 2013 through 2019 that hackers use to extract email communications from systems connected to the Internet they use. Exchange
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically increased attacks on vulnerable and unpaired Exchange servers around the world.
In each incident, the attacker ditched the “Web Shell”, an easy-to-use password-protected hacking tool that can be accessed via the Internet from any browser that allows the attacker to gain access to the victim’s computer server.
Two cybersecurity experts who briefed a US national security advisor on the attack discussed the condition of anonymity, a cyber security expert told KrebsOnSecurity The Chinese hacking group thought to be responsible has taken over “hundreds of thousands” of Microsoft Exchange Servers around the world, with each victim system represented. About one organization uses Exchange to process email.
Microsoft said the Exchange flaw was being targeted by a previously unidentified Chinese hacking team dubbed “hafnium” and said the group had been conducting a targeted attack on the email systems used by industry. Various including researchers in infectious diseases, law firms Educational institutions, body defense contractors, policy thinking and NGOs.
Microsoft’s Initial Guide to Exchange Flaws Credit Reston, Va. Based Volexity, for reporting the President Volexity vulnerability. Steven Adair The company said it was the first time it saw attackers quietly exploit the Exchange flaw on Jan. 6, 2021, the day that most people around the world are stuck with television coverage of the U.S Congress uprising.
But Adair said that over the past few days, the hacking group has moved into rapid advances to scan the Internet for Exchange servers that are not yet protected from those security updates.
“We have been working on a number of cases so far that webshell was put into victim systems on February 28th. [before Microsoft announced its patches]Until today, ”said Dare,“ even if you installed the same day that Microsoft released the patch, there is a high chance there will be a web shell on your server. The truth is, if you’re using Exchange and you haven’t fixed it, it’s very likely your organization will be compromised. ”
Received comment, Microsoft said it is working closely with the file. US Cybersecurity and Infrastructure Agency (CISA), other government agencies and security companies to ensure the best possible advice and mitigation for its clients.
“The best defense is to apply updates on all affected systems as quickly as possible,” a Microsoft spokesperson said in a written statement. Additional mitigation Affected customers should contact our support team for additional assistance and resources. ”
Adair said today he received dozens of calls from state and local government agencies that identified the backdoor on the Exchange server and was requesting help. The problem is that the bug fix blocks only four different methods hackers use to gain access. But it has done nothing to undo the damage it may have already caused.
By all accounts, eliminating these intruders will require an urgent and unprecedented nationwide clean-up effort. Adair and others said they worried that the longer the victim took the backdoor off, the more likely the attacker would follow up by installing additional backdoors. And may expand attacks to include other parts of the victim’s network infrastructure.
Security researchers have published a tool on Microsoft’s Github code repository that allows anyone to scan the Internet for Exchange servers infected with the backdoor.
KrebsOnSecurity Have seen some of the victim list compiled by running this tool and it’s not a pretty picture. The Secret Shell Web is found in a network of thousands of US organizations, including banks, credit unions, nonprofit organizations, telecom operators, utilities and police, fire and rescue services.
“It’s a lot of police, hospitals, government agencies and credit agencies,” said one source who worked closely with federal officials on the matter. Got it fixed a few days ago was hit with zero-day attacks. “
Another government cybersecurity expert who took part in recent calls with several stakeholders affected by the hacking spree was concerned that a cleanup effort would be required. Being Herculean
“In the calls, there are a lot of questions from the school district or local government that everyone needs help,” the source said, speaking on condition that they are not anonymous. How to do it? There is simply not enough incident response teams to act quickly. ”
When the patch was released for all four Exchange Server flaws on Tuesday, Microsoft stressed that the vulnerabilities do not affect customers using Exchange Online (Microsoft’s cloud-hosted email for business) service. The source said most of the organizations that have fallen so far are running some form of Internet-connected Microsoft Outlook Web Access (OWA) email system alongside an internal Exchange server.
“It’s a pretty cool question what Microsoft’s advice will be,” said government cybersecurity experts. “They’ll say, ‘Patch, but better go to the cloud’, but they’ll secure the product. How can that be non-cloud? Let them wither on the vine. “
Government cybersecurity experts say the latest round of attacks does not follow the nature of the often-induced national hacking of China, which tends to focus on compromising strategic goals. Specific
“It’s reckless,” the source said, “it seems that Chinese state actors do not discriminate like this.”]
Microsoft has said that the Hafnium infiltration on the vulnerable Exchange server was not connected to a separate SolarWinds-related attack, a suspected Russian intelligence group deployed backdoors in network management software at the Microsoft Office. Used by more than 18,000 organizations
“We are still seeing no evidence that the actors behind SolarWinds discover or exploit any vulnerabilities in Microsoft products and services,” the company said.
However, events of the past few days may have overshadowed the damage done by SolarWinds intruders.
This is a fast-moving story and it will likely receive multiple updates throughout the day.
Tags: Hafnium, Microsoft Exchange Server Defect, Steven Adair, Volexity
This entry was posted on Friday, March 5, 2021, at 4:07 p.m. and was sent under the latest warning, an upcoming storm, time to fix. You can follow any comments on this list via the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is not allowed at this time.