The Latest Microsoft Hack Looks Like It Could Be Huge

The Latest Microsoft Hack Looks Like It Could Be Huge

Microsoft announced this week that another one of its email products, Exchange, had been compromised by a hacking campaign. This recent hack is actually totally unrelated to the “SolarWinds” one, in which Microsoft has also played an outsized role.

A state-sponsored threat actor from China dubbed “HAFNIUM” is said to be exploiting a number of zero-day flaws in on-premises Microsoft Exchange servers all over the globe in an apparent effort to steal data. Exchange essentially works with mail clients like Microsoft Office, ensuring that updates to devices are synchronised. It’s a very widely used product, to say the least. While Microsoft has sought to play down the potential scope of this hack (calling it “limited and targeted” in nature), it is beginning to look like that assessment is actually really, really wrong.

Among the numerous parties to disagree with the “limited and targeted” assessment is the White House, which said Friday that they were “concerned” about the extent of the attack. During a press conference, Biden administration spokesperson Jen Psaki said:

Everyone running these servers — government, private sector, academia — needs to act now to patch them. We are concerned that there are a large number of victims and are working with our partners to understand the scope of this…Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps. The Cybersecurity and Infrastructure Security Agency issued an emergency directive to agencies, and we’re now looking closely at the next steps we need to take. It’s still developing. We urge network operators to take it very seriously…

[referenced id=”1676715″ url=”https://gizmodo.com.au/2021/03/microsoft-chinese-hackers-have-been-exploiting-our-email-product-to-steal-data/” thumb=”https://gizmodo.com.au/wp-content/uploads/2021/03/03/z0cndeiu8gnt2efnq74f-300×169.jpg” title=”Microsoft: Chinese Hackers Have Been Exploiting Our Email Product to Steal Data” excerpt=”In the latest in a string of security-related headaches for Microsoft, the company warned customers Tuesday that state sponsored hackers from China have been exploiting flaws in one of its widely used email products, Exchange, in order to target American companies for data theft.”]

Indeed, CISA took the unusual step Wednesday of mandating that all federal agencies patch the Exchange servers if they were in use: “CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency reported, giving agencies until noon Friday to patch related vulnerabilities.

All this concern might be due to certain claims floating around that the parties affected by the hack could number in the tens of thousands. Indeed, KrebsOnSecurity made the bold claim Friday that “at least 30,000″ U.S. organisations were hacked via the newly discovered flaws in Exchange servers, and that potentially hundreds of thousands of servers worldwide were hacked as a result of the campaign. Reuters similarly reports that more than “20,000 American organisations” have been compromised by the vulnerabilities, according to an anonymous source familiar with the government’s response efforts.

Jake Sullivan, who serves as National Security Advisor to President Biden, made it clear via Twitter that the administration was alarmed:

Chris Krebs, the former director of CISA, similarly said Friday that organisations that had their server exposed to the internet during a specific time frame should just “assume” they had been compromised by the hacking campaign:

A more on-the-ground perspective of the hack was provided by security firm Huntress, which released a report Wednesday in which they detailed the extent to which they had seen webshells deployed against unpatched Microsoft servers:

Currently, we’ve identified 176 of our partners servers that have been received the webshell payload from Update 1 (below). These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other “less than sexy” mid-market businesses. With that said, we have also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers.

When questioned about the Huntress report Wednesday, Microsoft sent a brief statement our way, simply stating:

As we said in our blogs, we recommend customers update as soon as possible as we anticipate that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.