When the news hit Earlier this week when Chinese hackers were actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they exploited would have allowed them to hit countless organizations around the world. Now it becomes clear that many email servers have simply been hacked. It seems that the group known as Hafnium violated as many victims as they could find on the worldwide internet and left back doors to return to later.
Hafnium has now exploited zero-day vulnerabilities in Outlook Web Access from Microsoft’s Exchange servers to indiscriminately compromise no less than tens of thousands of email servers, according to sources with knowledge of the hacking campaign investigation that spoke to WIRED. The break-ins, first spotted by security firm Volexity, started as early as January 6, with a noticeable rebound that started last Friday and peaked early this week. The hackers seem to have responded to Microsoft’s patch, released Tuesday, by ramping up and automating their hacking campaign. A security researcher involved in the investigation who spoke to WIRED on condition of anonymity estimated the number of hacked Exchange servers in the US alone at more than 30,000, and hundreds of thousands worldwide, all apparently by the same group. Independent cybersecurity journalist Brian Krebs reported that 30,000 for the first time Friday, citing sources that briefed national security officials.
“It’s huge. Absolutely huge,” a former national security officer with knowledge of the investigation told WIRED. “We are talking about thousands of servers that are compromised every hour, worldwide.”
During a press conference Friday afternoon, Jen Psaki, White House press secretary, warned anyone using the affected Exchange servers to immediately implement Microsoft’s patch for the vulnerabilities. “We are concerned that there are high casualties and are working with our partners to understand the scope of this,” Psaki said in a rare case of a White House press secretary who commented on specific cybersecurity vulnerabilities. “Network owners should also consider whether they have already been compromised and take appropriate action immediately.” That White House advice echoed a lot tweet from Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, on Thursday night advised anyone with an exposed Exchange server to “compromise” and take incident response measures to remove hackers’ access.
The affected networks, which are likely more those of small and medium-sized organizations than the large corporations that tend to use cloud-based email systems, appear to have been haphazardly hacked through automated scanning. The hackers placed a “web shell” – a remotely accessible, web-based backdoor – on the Exchange servers they exploited, allowing them to crawl the target machines and potentially move them to other computers on the network.
That means that only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by the Chinese hackers, says Steven Adair, founder of Volexity. Nevertheless, any organization that makes no effort to remove the hackers’ backdoors will remain compromised, and the hackers could reenter their networks to steal data or cause chaos until that web shell is removed. “A huge, huge number of organizations are getting that first foothold,” says Adair. “It’s a ticking time bomb that can be used against them at any time.”
While the vast majority of breaches appear to be just those web shells, the “astronomical” scale of those global compromises is uniquely troubling, a security researcher who took part in the investigation told WIRED. The small to medium organizations that were compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports and prisons. “China simply owned the world – or at least everyone with Outlook Web Access,” said the researcher. When was the last time someone was so bold as to just hit everyone