In the past week, Microsoft announced than the on-premises version of your widely used Exchange email and calendar product it had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of US companies and governments, primarily to steal large amounts of email data. Since then, the main question on everyone’s mind has been: How bad is this?
The short answer is:It is too bad
So far, descriptors such as “crazy huge, “”astronomical,” Y “unusually aggressive”It seems to be correct. As a result of the Exchange vulnerabilities, it is likely that tens of thousands of US-based entities have implanted malicious backdoors into their systems. Anonymous sources close to the investigation have repeatedly told the press that somewhere about 30,000 American organizations have been compromised as a result of security breaches (if correct, these figures officially dwarf SolarWinds, leading to the compromise of some 18,000 entities nationwide and nine federal agencies, according to the White House). The number of entities involved around the world could be much higher. A fountain recently told Bloomberg that there are “at least 60,000 known victims worldwide.
Even more troublesome, some researchers have said that since the public disclosure of the Exchange vulnerabilities, it appears that attacks on the product have accelerated. Anton Ivanov, a Kaspersky’s threat research specialist said in an email that his team has seen an increase in activity over the past week.
“From the beginning, we anticipated that attempts to exploit these vulnerabilities would increase rapidly, and this is exactly what we are seeing now; so far we have detected such attacks in more than 100 countries, essentially all over the world.” Ivanov told Gizmodo. “Although the initial attacks may have been targeted, there is no reason why the actors should not try their luck attacking essentially any organization running a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks and therefore organizations should take protective measures as soon as possible. “
How are the attacks happening?
Microsoft Exchange Server comes in two formats, which has led to some confusion about which systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by security flaws. As indicated above, it is local products that are being exploited. Other Microsoft email products are not believed to be vulnerable. What CISA has said, “Currently neither vulnerabilities nor exploit activity identified are known to impact Microsoft 365 or Azure Cloud deployments.”
There are four vulnerabilities on local Exchange servers that are being actively exploited (see: here, here, here, Y here). Three others associated with security vulnerabilities exist, but authorities say these have not yet seen an active exploitation of these (see: here, here, Y here.) Patches can be found on the Microsoft website, however, as we will see in more detail later, there have been some problems with proper implementation.
So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions on Exchange. HAFNIUM is said to be a state-sponsored group whose modus operandi involves exploiting security flaws to implement web shells, malicious scripts that can act as back doors into systems. These web shells allow hackers to gain remote access to servers and then exfiltrate large amounts of email data, including entire inboxes. HAFNIUM’s goal would appear to be information gathering. Although the group is believed to be based in China, the Chinese government has denied any responsibility.
However, security researchers say that other threat actors are almost certainly involved in the exploitation of vulnerabilities. Security firm Red Canary reported over the weekend that they had observed multiple clusters of activity targeting Exchange servers and that organizations should not assume that they are necessarily being attacked by HAFNIUM; it could be someone else.. “Based on our visibility and that of researchers at Microsoft, FireEye and others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said the Red Canary researcher. Katie nickels on Saturday.
Who is getting hit
Due to the widespread use of Exchange, many different types of entities are at risk. Some large organizations, including the European Banking Authority“They have already announced infractions.” It is not yet known whether the US government. affected, although numerous agencies—including the Pentagon—They are currently reviewing their own networks to see if they have been compromised.
Security researchers have expressed particular concern about the entities, specifically city and county governments and small and medium-sized companies, which they say are at higher risk. In North Dakota, the state government recently admitted that he had been targeted by HAFNIUM and was investigating whether Chinese hackers had stolen data.
Lior Div, chief executive of security firm Cybereason, said that smaller companies were particularly at risk of being compromised by the campaigns. Div emphasized the potential impact this hack could have on local economies in the event that the Attacks are more destructive than invasive:
“The latest assault on Microsoft Exchange is a thousand times more devastating [than SolarWinds] because Chinese attackers have targeted SMEs [small and medium size enterprises], the lifeblood of the American economy and the engine of the global economy, ”Div said in an email. “SMEs were the hardest hit by the COVID-19 pandemic, with millions of businesses closing around the world. And just as we start to turn the corner after a devastating year, this attack on SMEs is launched. This attack is potentially even more damaging because SMBs often don’t have such a strong security posture, allowing threat actors to take advantage of the weak and generate strong revenue streams in this way. “
What is being done?
The White House announced Sunday night that he would be putting together a working group to investigate the scope of the hack. This answer However, it may be held back by the fact that the Biden administration is already juggling a response to the SolarWinds hack (the White House is currently considering covert cyber operations and sanctions on Russia, for its alleged role in the attacks).
As noted above, Microsoft has released patches for the vulnerabilities, but these patches have had some issues. On Thursday, a Microsoft spokesperson noted that in certain cases, the patches would appear to work, but would not actually fix the vulnerability. TO full breakdown of that problem can be found on the Microsoft website.
Organizations were warned not only to patch vulnerabilities but you should also investigate whether they have already been compromised. Microsoft has announced resources to help with that. That issued an update of your Safety Scanner Tool (MSERT) which can help identify if web shells have been deployed on Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.
Apart from shoringuntil defenses and inspection systems for signs of compromise, there may not be much that can be done at this time. As with SolarWinds, Americans will probably just have to sit back and wait. Going to Definitely take your time to understand how extensive the damage is.