Microsoft announced this week that another one of its email products, Exchange, had been compromised by a hacking campaign. This recent hack is actually totally unrelated to the “SolarWinds” one, in which Microsoft has also played an outsized role.
A state-sponsored threat actor from China dubbed “HAFNIUM” is said to be exploiting a number of zero-day flaws in on-premises Microsoft Exchange servers all over the globe in an apparent effort to steal data. Exchange essentially works with mail clients like Microsoft Office, ensuring that updates to devices are synchronised. It’s a very widely used product, to say the least. While Microsoft has sought to play down the potential scope of this hack (calling it “limited and targeted” in nature), it is beginning to look like that assessment is actually really, really wrong.
Among the numerous parties to disagree with the “limited and targeted” assessment is the White House, which said Friday that they were “concerned” about the extent of the attack. During a press conference, Biden administration spokesperson Jen Psaki said:
Everyone running these servers — government, private sector, academia — needs to act now to patch them. We are concerned that there are a large number of victims and are working with our partners to understand the scope of this…Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps. The Cybersecurity and Infrastructure Security Agency issued an emergency directive to agencies, and we’re now looking closely at the next steps we need to take. It’s still developing. We urge network operators to take it very seriously…
In the latest in a string of security-related headaches for Microsoft, the company warned customers Tuesday that state sponsored hackers from China have been exploiting flaws in one of its widely used email products, Exchange, in order to target American companies for data theft.Read more
Indeed, CISA took the unusual step Wednesday of mandating that all federal agencies patch the Exchange servers if they were in use: “CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency reported, giving agencies until noon Friday to patch related vulnerabilities.
All this concern might be due to certain claims floating around that the parties affected by the hack could number in the tens of thousands. Indeed, KrebsOnSecurity made the bold claim Friday that “at least 30,000″ U.S. organisations were hacked via the newly discovered flaws in Exchange servers, and that potentially hundreds of thousands of servers worldwide were hacked as a result of the campaign. Reuters similarly reports that more than “20,000 American organisations” have been compromised by the vulnerabilities, according to an anonymous source familiar with the government’s response efforts.
Jake Sullivan, who serves as National Security Advisor to President Biden, made it clear via Twitter that the administration was alarmed:
We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities. We encourage network owners to patch ASAP: https://t.co/Q2K4DYWQud
— Jake Sullivan (@JakeSullivan46) March 5, 2021
Chris Krebs, the former director of CISA, similarly said Friday that organisations that had their server exposed to the internet during a specific time frame should just “assume” they had been compromised by the hacking campaign:
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\inetpubwwwrootaspnet_clientsystem_web. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
A more on-the-ground perspective of the hack was provided by security firm Huntress, which released a report Wednesday in which they detailed the extent to which they had seen webshells deployed against unpatched Microsoft servers:
Currently, we’ve identified 176 of our partners servers that have been received the webshell payload from Update 1 (below). These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other “less than sexy” mid-market businesses. With that said, we have also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers.
When questioned about the Huntress report Wednesday, Microsoft sent a brief statement our way, simply stating:
As we said in our blogs, we recommend customers update as soon as possible as we anticipate that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.