Exchange email servers have been hit by a devastating attack that could eventually turn out to be worse than Russia’s.
attack, which may have affected 18,000 organizations.
On March 2, Microsoft revealed in a blog post that a China-sponsored group it calls Hafnium has been targeting Exchange Server software. The attacks have three steps, the company said.
“First, you would gain access to an Exchange server either with stolen passwords or by using … previously undiscovered vulnerabilities to disguise yourself as someone who should have access,” the company said. “Second, it would create what is called a web shell to control the compromised server remotely. Third, it would use that remote access, running from private US-based servers, to steal data from an organization’s network. “
Security blogger Brian Krebs wrote on his website on Friday that at least 30,000 organizations have been affected by the attacks, including “small businesses, towns, cities and local governments.”
Krebs noted that after Microsoft’s disclosure of the hack, the Chinese group “dramatically stepped up attacks on any vulnerable and unpatched Exchange server around the world.” Krebs wrote that cybersecurity experts he spoke with claimed that Hafnium had taken control of “hundreds of thousands” of Exchange servers around the world.
The Wall Street Journal reported over the weekend that the attacks could have hit tens of thousands of US businesses, government offices and schools, but added that the exact number is unclear and, according to one source, could reach 250,000. On Friday, White House press secretary Jen Psaki said the attacks “could have a far-reaching impact … we are concerned that there are a lot of casualties.”
The government’s Cybersecurity and Infrastructure Security Agency last week issued an “emergency directive” requiring federal agencies to patch critical vulnerabilities. Former CISA director Chris Krebs (no relation to Brian Krebs), who was fired by the Trump administration, tweeted last weekk that this is “a crazy huge hack … the scale and speed of this is terrifying”.
Microsoft told the diary that the company was working with government agencies and security companies to mitigate the incident, but declined to comment on the extent of the attacks.
“We are working closely with CISA, other government agencies and security companies, to ensure that we are providing the best possible guidance and mitigation for our clients,” the company said in a statement issued to Barron Monday. “The best protection is to apply updates as soon as possible to all affected systems.” He said the company continues to provide guidance on how to investigate and deal with the damage, and that affected customers should contact their support teams.
At least so far, the situation has not affected Microsoft’s share price. Both Goldman Sacha and
he repeated his purchase qualifications on Monday. The stock closed 1.8% lower at $ 227.39, while the Nasdaq Composite fell 2.4%.
Write to Eric J. Savitz at [email protected]