In recent days, at least 30,000 organizations in the United States, including a significant number of small businesses, towns, cities, and local governments, have been hacked by an unusually aggressive Chinese cyber espionage unit that focuses on stealing emails from victim organizations. , multiple sources tell KrebsOnSecurity. The spy group is exploiting four recently discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations around the world with tools that give attackers full remote control over affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in versions of Exchange Server 2013 through 2019 that hackers were actively using to bypass email communications from Internet-connected systems running Exchange. .
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange server around the world.
In each incident, the intruders have left behind a “web shell”, an easy-to-use, password-protected hacking tool that can be accessed via the Internet from any browser that provides attackers with administrative access to computer servers. the victim.
Speaking on the condition of anonymity, two cybersecurity experts who briefed US national security advisers on the attack told KrebsOnSecurity that the Chinese hacking group held responsible has taken control of “hundreds of thousands” of Microsoft Exchange servers around the world, and each victim system roughly represents one organization that uses Exchange to process email.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking team it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a variety of industry sectors. , including infectious disease investigators, law firms, etc. educational institutions, defense contractors, policy think tanks and NGOs.
Microsoft’s initial notice of the Exchange flaws credited Reston, Virginia-based Volexity with reporting the vulnerabilities. President of Volexity Steven Adair He said the company first saw attackers quietly exploit Exchange bugs on January 6, 2021, a day when most of the world was glued to television coverage of the riots on the U.S. Capitol.
But Adair said that in recent days the group of hackers has accelerated, moving quickly to scan the Internet for Exchange servers that were not yet protected by those security updates.
“We have worked on dozens of cases so far where web shells were placed on the victim’s system on February 28th. [before Microsoft announced its patches], to this day, “said Adair. “Even if you patched the same day that Microsoft released their patches, there is a high probability that there is a web shell on your server. The truth is, if you’re running Exchange and haven’t patched it yet, there’s a good chance your organization is already compromised. “
When contacted for comment, Microsoft said it is working closely with the US Cybersecurity and Infrastructure Security Agency (CISA), other government agencies and security companies, to ensure that it provides the best possible guidance and mitigation for its clients.
“The best protection is to apply updates as soon as possible to all affected systems,” a Microsoft spokesperson said in a written statement. “We continue to assist clients by providing additional research and mitigation guidance. Affected customers should contact our support teams for additional help and resources. “
Adair said he has received dozens of calls today from state and local government agencies that have identified the back doors on their Exchange servers and are asking for help. The problem is, patching the flaws only blocks the four different ways hackers are using to get inside. But it does nothing to undo the damage that may have already been done.
By all accounts, eradicating these intruders will require an urgent and unprecedented national cleansing effort. Adair and others say they are concerned that the longer victims take to remove the back doors, the more likely it is that intruders will continue to install additional back doors and perhaps expand the attack to include other parts of the victim’s network infrastructure. .
Security researchers have published a tool on Microsoft’s Github code repository that allows anyone to scan the Internet for Exchange servers that have been infected with the backdoor shell.
KrebsOnSecurity has seen parts of a compiled victim list when running this tool, and it’s not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of American organizations, including banks, credit unions, nonprofits, telecommunications providers, utilities, and police, fire, and rescue units.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said a source who works closely with federal officials on the issue. “Almost everyone running self-hosted Outlook Web Access that didn’t receive a patch a few days ago was hit with a zero-day attack.”
Another government cybersecurity expert who participated in a recent call with multiple stakeholders affected by this hacking wave fears that the cleanup effort required is Herculean.
“On the call, a lot of questions were from school districts or local governments that need help,” the source said, speaking on the condition that they were not identified by name. “If these numbers are in the tens of thousands, how do you respond to incidents? There just aren’t enough incident response teams to do that quickly. “
When it released patches for all four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for business). But sources say that the vast majority of organizations victimized so far are running some kind of Microsoft Outlook Web Access (OWA) e-mail system with an Internet connection in conjunction with Exchange servers internally.
“It’s a question worth asking yourself, what will Microsoft’s recommendation be?” Said the government cybersecurity expert. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are you protecting your non-cloud products? Letting them dry on the vine. “
The government’s cybersecurity expert said this latest round of attacks is not characteristic of the kinds of nation-state-level hacking normally attributed to China, which tends to focus quite a bit on compromising specific strategic objectives.
“It’s reckless,” the source said. “It seems out of place for Chinese state actors to be so indiscriminate.”]
Microsoft has said that Hafnium’s forays into vulnerable Exchange servers are in no way related to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerabilities in Microsoft products and services,” the company said.
However, the events of the past few days may end up far overshadowing the damage done by SolarWinds intruders.
This is a fast-moving story and is likely to be updated multiple times throughout the day. Stay tuned.
Tags: Hafnium, Microsoft Exchange Server Failures, Steven Adair, Volexity