Cybersecurity responders work around the clock to support the affected networks last week’s Exchange email service hack – an attack that has affected hundreds of thousands of organizations worldwide.
On Friday, the White House urged victims to patch systems and stressed the urgency: The timeframe for updating systems can be measured in “hours, not days,” a senior official said.
“This is a crazy huge hack,” Christopher Krebs, former president of the US Cybersecurity and Infrastructure Security Agency (CISA), tweeted last week
The consequences of the hack are still being measured. President Joe Biden has been briefed on the attack and discussed at a summit this Friday with leaders from India, Japan and Australia, national security adviser Jake Sullivan said. The National Security Council has set up a government task force to address the massive breach.
The breach follows last year’s Russian-linked hack, which used SolarWinds software to spread a virus across 18,000 government and private computer networks.
Nathan Ellgren / AP
Solar winds was bad. But the massive hacking taking place here is literally the biggest hack I’ve seen in my fifteen years, ”said David Kennedy, CEO of cybersecurity firm TrustedSec. In this particular case, there was no rhyme or reason for whom [attackers] were hacking. It was literally hacking anyone you can in this short time frame and causing as much pandemonium and chaos as possible. “
Here’s what you need to know about the Microsoft Exchange exploit:
When did the attack begin?
Hackers began secretly targeting Exchange servers “ in early January, ” according to cybersecurity firm Volexity, which gives Microsoft credit for identifying initial exploits.
Microsoft vice president Tom Burt said hackers first gained access to an Exchange Server with stolen passwords or by exploiting previously undiscovered vulnerabilities used to “disguise themselves as someone who should have access.” Using web shells, hackers controlled servers via remote access – operated from US-based private servers – to steal data from a victim’s network.
Who is behind the attack?
Microsoft identified a China-based group known as “Hafnium” as the main actor behind the initial attacks.
The Hafnium group has historically focused on “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Burt wrote in a company blog post.
Omar Marques / SOPA Images / Sipa USA via AP Images
How did Microsoft react?
Microsoft disclosed the vulnerabilities on March 2 and released “patches” for multiple versions of Exchange. While Microsoft typically releases updates on the second Tuesday of each month – known as “Patch Tuesday” – the announcement came on the first Tuesday of the month, an indication of the urgency.
Days later, the company also took the unusual step of releasing security patches for outdated versions of Exchange Server.
A Microsoft spokesperson told CBS News that the company was working closely with CISA, other government agencies and security companies. In a statement released to CBS News last week, the company said, “The best protection is to apply updates to all affected systems as soon as possible. We will continue to assist customers by providing additional research and guidance. Affected customers should contact us. Contact our support teams for additional help and resources. ”
How did the attack evolve?
Experts say it’s common for hackers to launch an attack immediately prior to a fix, but the pace was much faster in this case. Once a patch is imminent, [hackers] may move to wider exploitation because there is a ‘use or lose’ factor, ‘said Ben Read, director of threat analysis at cybersecurity firm Mandiant.
But in late February, just days before Microsoft released its security patch, security researchers saw an automated second wave of attacks targeting victims across industries.
“They got very aggressive and essentially hacked everyone,” Kennedy said. Hackers planted back doors known as “web shells” in systems and launched attacks on organizations “without rhyme or reason”. Kennedy added, “We haven’t seen that in China in the past.”
Microsoft said Friday it is investigating whether attackers were tipped off that a patch was imminent. The internal probe focuses on “what could have triggered the spike of malignant activity at the end of February,” but the researchers have not yet drawn any conclusions. “We have seen no evidence of a leak at Microsoft in connection with this attack,” a Microsoft spokesperson told CBS News.
What did the hackers want?
The purpose of the hackers is unclear. “Tens of thousands of targets, most of which really don’t have any intelligence value,” Read said. “They are just small towns and local businesses. Their information is unlikely to be of any value to the Chinese government.” Read called the “level of mass exploitation” of arbitrary bystanders a “very rare” display of power.
And what started as a hack led by Chinese hackers soon gave way to a nutritional frenzy of criminal gangs in other countries, including Russia.
At least 10 criminal espionage groups worldwide have exploited the flaws in the Exchange Server email program, antivirus company ESET said in a blog post on Wednesday.
Who was the target?
Cybersecurity experts tell CBS News that tens of thousands of private and public US entities have been affected. “Initially, the initial estimates were that 30,000 people were hacked. We are now seeing a number that is much higher,” Kennedy said. “Worldwide it is certainly in the hundreds of thousands of servers that have been hacked.”
The list of victims worldwide continues to grow and includes schools, hospitals, cities and pharmacies. Cyber security firm CyberEye identified in a blog post “a range of affected victims, including US retailers, local governments, a university and an engineering firm”.
The European Banking Authority, the banking regulator for the EU, announced it had been hit.
The attack largely stayed away from Fortune 500 companies and large organizations that migrated their servers to Microsoft Exchange Online, Microsoft’s cloud-based email and calendar service. But the widespread attack will prove painful for smaller companies that run Microsoft Exchange on their local servers and are the least able to afford high-quality security.
“By far the most worrying victims are small and medium-sized businesses that don’t follow security news every day, who may not be aware of this massive patch,” said Katie Nickels, intelligence director for cybersecurity firm Red Canary. CBS News. She added that reporting victims is a “huge challenge” given the large number of organizations affected. “What worries me most is everyone we don’t see,” she said.
Has the federal government been violated?
Officials have not confirmed violations against federal agencies, Eric Goldstein, executive assistant director of CISA’s cybersecurity division, told lawmakers last week. “At the moment, there are no federal civilian agencies confirmed to be affected by this campaign.”
But National Security Advisor Jake Sullivan said on Friday that the federal government is “still trying to determine the scope and scale” of the hack.
Cybersecurity and Infrastructure Security Agency (CISA) said the breach “poses an unacceptable risk to federal civilian executive agencies,” and issued an emergency directive on March 2 requiring all agencies to immediately implement a patch or disconnect from Exchange. Disconnect server if this were to happen.
What is the risk?
Cybersecurity firms say they are beginning to observe hackers stealing passwords from networks and installing cryptocurrency mining malware on servers.
And Microsoft said in one late-night tweet On Thursday, it had discovered a new breed of “ransomware” – a type of malicious software designed to block access to a computer until the victim pays a sum of money.
While businesses can assume that their system has been repaired once they install Microsoft’s security patch, the emergency update will not drive attackers from servers, leaving already breached organizations open to further exploitation.
“There is also a lot of concern as China begins to sell these accounts” to bad actors, including “ransomware authors to do as much damage as possible,” Kennedy said. “So this is a very critical period for us.”
Is this connected to Solarwinds?
The latest attack is not connected to last year’s SolarWinds breach, although the timing of two massive, consecutive cyberhacks has limited responsiveness.
“The big impact on the industry is timing,” said Nickels. “We’ve been dealing with a pandemic for a year. People work remotely, and they’re exhausted and stressed.”
U.S. officials tell CBS News that while the SolarWinds hack has more implications for national security, given that hackers gained access to nine federal agencies in that attack, the attack by Microsoft is much widespread.
“This is definitely bigger than Solar Winds,” Kennedy said. “While [SolarWinds] was bad, it didn’t get close to the width of the systems here. “
“This hack is much noisier and much easier to detect, but the scale is what makes this so concerning,” Nickels said.
Senior White House officials told reporters on Friday that the Biden administration will announce executive action in the wake of the SolarWinds attack. The White House is also unveiling a new cyber executive order in “the coming weeks”, which includes a proposal to grant letter-rating cybersecurity ratings to software vendors used by the federal government.
It remains unclear whether the forthcoming cyber governance will also address the risks of the latest Microsoft Exchange hack.
Both Russian and Chinese officials have denied the responsibility. Last week, Foreign Ministry spokesman Wang Wenbin said China “is strongly resisting and fighting cyber-attacks and cyber-theft in all forms.”
Margaret Brennan contributed to this report.