White House warns of ‘active threat’ from Microsoft email hackers

“This is an active threat,” White House press secretary Jen Psaki said Friday. “Everyone who runs these servers – government, private sector, academia – must act now to patch them.”

Psaki’s warnings followed a cheep by National Security Advisor Jake Sullivan Thursday night who underscored how concerned the Biden administration is. He urged IT administrators across the country to install software fixes immediately. Sullivan said the US government is monitoring reports that US think tanks may have been compromised by the attack, as well as “defense-based industrial entities.”

Later on Friday, the Cybersecurity and Infrastructure Security Agency underscored the risk in unusually plain language, stating in a tweet that malicious activity, if left unchecked, could “allow an attacker to gain control of the entire network. business “.

In an unusual step, White House officials have urged private sector organizations that run localized installations of Microsoft Exchange server software to install several critical updates that were released in what information security experts described as an emergency patch version.

Microsoft Says China-Linked Cyberattacks Attacked Its Exchange Email Servers
Cybersecurity firm FireEye said Thursday that it had already identified a number of targeted victims, including “US-based retailers, local governments, a university and an engineering company.”

Pentagon press secretary John Kirby told reporters on Friday that the Defense Department is currently working to determine whether it has been negatively affected by the vulnerability.

“We are aware of it and we are evaluating it,” Kirby said. “And that’s as far as I can go right now.”

Microsoft revealed this week that it had learned of several vulnerabilities in its server software that were being exploited by suspected Chinese hackers. In the past, Microsoft said, the hacker group responsible, which Microsoft calls Hafnium, has targeted “infectious disease researchers, law firms, institutions of higher education, defense contractors, think tanks, and NGOs.” The group in question had not previously been identified by the public, according to Microsoft.
The announcement marked the latest information security crisis to hit the US after FireEye, Microsoft and others reported an alleged Russian hacking campaign that began with the infiltration of IT software company SolarWinds. That effort has led to the commitment of at least nine federal agencies and dozens of private companies.

But the malicious activity revealed this week is in no way related to the SolarWinds hack, Microsoft said Tuesday.

Microsoft typically releases software updates on the second Tuesday of each month. But in a sign of the seriousness of the threat, Microsoft released the patches that address the new vulnerabilities, which had never been detected until now, a week earlier.

‘We urge network operators to take it very seriously’

The Department of Homeland Security also released an emergency directive Tuesday that requires federal agencies to update their servers or take them offline. It is only the sixth such directive since the formation of CISA in 2015, and the second in three months.

“We urge network operators to take it very seriously,” Psaki said of the directive. The administration is concerned there by a “large number of victims,” ​​he added.

Once Hafnium attackers endanger an organization, Microsoft said, they have been known to download data such as address books and gain access to its user account database.

A person working for a Washington think tank told CNN that the attackers targeted his personal and work email accounts. Microsoft sent him a warning that a foreign government was behind this. AOL sent a similar notification for the personal account.

Former CEO of SolarWinds blames & # 39; intern  solarwinds123 & # 39;  password leak

The person was then visited by FBI agents who showed up at his door, repeating that this was a sophisticated and ongoing hack by a foreign government and that there is a nationwide FBI investigation underway.

The attackers had used their unauthorized access to send emails to the person’s contacts, “adapting [the messages] so that the recipient does not doubt that I am the sender. “The fraudulent emails from the attackers sent on behalf of the person included invitations to non-existent conferences and referred to an article on their behalf and a book on behalf of a colleague, nor that it was written by them.

Each message, the person said, came with links that asked people to click on them.

“This is the real deal,” Christopher Krebs tweeted, the former director of CISA. “If your organization runs an OWA server exposed to the Internet, make the commitment between 02/26 and 03/03.”
In its own advisory, CISA urged network security officials to start looking for evidence of intrusions as early as September 2020.

The US government’s unusually public response to the incident came as a surprise to many experts, a reflection of both the Biden administration’s focus on cyber issues compared to the Trump White House and the scale of the threat.

“Is this the first time the National Security Advisor has promoted a specific patch?” John Hultquist, Vice President of FireEye’s Mandiant Threat Intelligence arm, he wondered aloud.
“When you wake up with the [National Security Advisor] Y [Press Secretary] tweeting about cyber ” tweeted Bailey Bickley, a top spokesperson for the National Security Agency, added a “dazed” emoji and quoted Sullivan’s tweet from the night before.

CNN’s Michael Conte and Oren Liebermann contributed to this report.


Source link