Previously undetected vulnerabilities in Microsoft’s Exchange Server software have allowed hackers to attack companies’ business email. A significant number of businesses, government offices and schools have come under attack in the US and around the world. Microsoft has provided emergency patches, but these don’t help already compromised organizations. The attacks are continuing.
New Cyber Intrusions
The latest cybersecurity incident involves Microsoft’s widely used Exchange Server software and has so far claimed at least 60,000 victims globally. The tech giant explained in a blog post that attackers used four vulnerabilities in their email server software. These vulnerabilities, which allowed attackers to remotely access companies’ email Exchange Servers, were previously undetected. Once attackers have access to the servers, they are able to access company email inboxes and install backdoors.
There have been two waves of attacks. Microsoft blamed the initial attacks on a state-sponsored hacking group operating out of China it has nicknamed Hafnium. The tech giant based its conclusion on the group’s “observed victimology, tactics and procedures”. However, a Chinese government spokesperson has denied Chinese government involvement. Nonetheless, in an official blog about the attacks, Microsoft describes Hafnium as a “highly skilled and sophisticated actor”.
The initial attacks began late last year and according to Microsoft were aimed at a few classic espionage targets. These included “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft’s official blog states. The initial login credentials required for the attacks were likely stolen through Business Email Compromise.
However, a second more widespread wave of attacks began last month whose nature was different from the first wave. Nonetheless, the second wave of attacks still exploited the same Exchange Server software vulnerabilities. According to a statement to reporters last Friday by Jen Psaki, the White House press secretary, these vulnerabilities are “significant” and “could have far-reaching impacts”.
Most Affected Businesses
The organizations most affected by the second wave of attacks are small to medium-sized businesses running web versions of the Outlook email client inhouse.
Initial investigations show that large organizations have been spared as they mostly run their software through cloud providers. Microsoft has stated that customers using its cloud-based business email system are not affected.
Microsoft has provided emergency patches for the vulnerabilities in its Exchange Server software. However, these will not fix issues for businesses that have already been compromised. The patches do not remove backdoors that attackers may have created once they gained access to companies’ systems.
Attacks Expected to Spread
Security officials believe that the second wave of attacks are not being conducted by the same cybercriminal group. They suggest that a different group or groups may have somehow gained access to the code used in the initial attacks and are now using it for their own purposes. More attacks are therefore expected as the code used to control business email servers spreads amongst the cybercriminal community.
Furthermore, the attacks have escalated rapidly in the last month. Consequently, researchers believe that attackers are now using an automated process to scan systems and install malware. Thus, allowing attackers to compromise as many victims around the world as quickly as possible before companies apply Microsoft’s patches. “This is an active threat still developing and we urge network operators to take it very seriously,” Psaki said on Friday. “Everyone running these servers – government, private sector, academia – needs to act now to patch them.”
The initial attack methodology was discovered by prominent Taiwanese cyber researcher Cheng-Da Tsai. He notified Microsoft of the flaws in their Exchange Server’s software back in January. It’s possible that the information held in Tsai’s notification to Microsoft somehow leaked, allowing other attackers to exploit the flaws. These bad actors are not using the flaws for cyberespionage, as was Hafnium’s aim. They are using them to steal data and install backdoors on compromised systems. These backdoors are footholds into victims’ systems. They are used by cybercriminals to later return to these compromised systems and gain full control of victims’ entire enterprise networks.
Microsoft Exchange victims identified so far by various cybersecurity firms include banks, electricity providers, senior citizen homes and an ice cream company. Also affected are US-based retailers, local governments, universities and an engineering firm.
In addition, the US Defense Department could also be affected. According to John Kirby, the Pentagon’s press secretary, the department is currently trying to ascertain whether its systems have been compromised. “We’re aware of it, and we’re assessing it,” Kirby said. “And that’s really as far as I’m able to go right now.”
Furthermore, the FBI is urging victims to contact law enforcement agencies so that the FBI can reach them and help them remove backdoors. Furthermore, Microsoft stated that it’s working with the government and others to help customers remediate issues caused by the vulnerabilities.
At this stage, neither the tech giant nor the White House has provided information as to the scale of the attacks. Nonetheless, records show that tens of thousands of organizations around the world have been affected.
White House Warning
“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” a White House official warned.
Mission Secure, a cybersecurity firm specializing in industrial systems, provides the following information and recommendations to Exchange Server administrators for remediating compromised systems:
- Immediately install Microsoft’s security patch. The patches are available on this Exchange Team Blog, which also provides details on how to install the security patches. The patches, however, will not evict attackers who have already compromised servers.
- If unable to patch, find interim mitigations. Microsoft’s Security Response Center provides information on possible interim mitigation measures.
- Search for indicators of comprise. First, make an offline copy of Microsoft Exchange Server logs. Then refer to scripts released by the Microsoft Exchange Server team to check for Hafnium indicators of compromise.
- Educate employees to increase vigilance
- Notify your corporate ecosystem