Last week, Microsoft announced dat is the local version of the widely used email and calendar product Exchange had several previously undisclosed security flaws. These flaws, the company said, were used by foreign threat actors to hack into the networks of US companies and governments, primarily to steal large amounts of email data. Since then, the main question on everyone’s mind has been: how bad is this really?
The short answer is: Itis pretty bad
Descriptors so far like “crazy hugeastronomical, “And”unusually aggressiveSeem to be right on the money. As a result of Exchange’s vulnerabilities, it is likely that tens of thousands of US-based entities have implanted malicious loopholes into their systems. Anonymous sources close to the investigation have somewhere told the press repeatedly about 30,000 U.S. organizations have been compromised as a result of the security flaws (if correct, these numbers officially narrow down SolarWinds, leading to the compromise of about 18,000 domestic entities and nine federal agencies, according to the White House). The number of entities compromised worldwide could be much greater. A source recently told Bloomberg that “there are at least 60,000 known victims worldwide.
Even more problematic, some researchers have said that since the Exchange vulnerabilities were disclosed, it appears that attacks against the product have actually accelerated. Anton Ivanov, one threat research specialist at Kaspersky, said in an email that his team has seen an increase in activity over the past week.
“From the outset, we expected attempts to exploit these vulnerabilities to increase rapidly, and this is exactly what we are seeing now – so far we have detected such attacks in more than a hundred countries, essentially in every part of the world,” Ivanov told Gizmodo“While the early attacks may have been targeted, there is no reason for actors not to try their luck by attacking virtually any organization running a vulnerable server. These attacks carry a high risk of data theft or even ransomware attacks, so organizations must take protective measures as soon as possible. “
G / O Media can receive a commission
How do the attacks happen?
Microsoft Exchange Server comes in two formats, which has led to some confusion as to which systems are at risk: there is a local product and a software-as-a-service cloud product. The cloud product, Exchange Online, would not be affected by the security flaws. As mentioned earlier, it is the on-premise products that are being exploited. Other Microsoft email products are not considered vulnerable. Like CISA has said, “It is currently known that neither the vulnerabilities nor the identified exploit activity will affect deployments of Microsoft 365 or Azure Cloud.”
There are four vulnerabilities in on-premises Exchange servers that are actively exploited (see: here here here, and here Three other security-related vulnerabilities exist, but authorities say these are not yet actively exploited (see: here here, and here Patches can be found on Microsoft’s website, as we will discuss in more detail later, there have been some issues with proper implementation.
So far, Microsoft has primarily blamed a threat actor named “HAFNIUM” for the Exchange breaches. HAFNIUM is reportedly a state-sponsored group whose modus operandi involves exploiting the vulnerabilities to deploy web shells – malicious scripts that can act as backdoors to systems. These web shells allow hackers to access servers remotely and then exfiltrate large amounts of email data, including entire inboxes. The purpose of HAFNIUM appears to be intelligence gathering. While the group is believed to be based in China, the Chinese government has denied any responsibility.
However, security researchers say it is almost certain that other threat actors are involved in it as well exploitation of the vulnerabilities. Security firm Red Canary reported over the weekend that they had observed multiple clusters of activity targeting Exchange servers and that organizations shouldn’t assume they are necessarily targeted by HAFNIUM – it could be someone else.“Based on our visibility and that of researchers from Microsoft, FireEye and others, there are at least 5 different activity clusters that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.
Who will be hit
The widespread use of Exchange puts many different types of entities at risk. Some large organizations, including the European Banking Authority– have already announced violations. There is still no word on whether the US government has been affected, although numerous authorities-including the Pentagon– are currently investigating through their own networks whether they have been compromised
Security researchers have expressed particular concern about smaller ones entities – in particular city and provincial governments and small and medium-sized businesses – which they believe are more at risk. In North Dakota, the state government recently admitted that was targeted by HAFNIUM and that it was investigating whether Chinese hackers had stolen data.
Lior Div, CEO of security firm Cybereason, said smaller companies, in particular, were at risk of being compromised by the campaigns. Div highlighted the potential impact this hack could have on the local economy if it did the attacks turn out to be more destructive than invasive:
“The latest attack on Microsoft Exchange is 1000 times more devastating [than SolarWinds] because the Chinese attackers have targeted SMEs [small and medium size enterprises], the lifeblood of the US economy and the engine of the global economy, ”Div said in an email. “SMEs were most affected by the COVID-19 pandemic, with millions of companies around the world closing their doors. And just as we start to turn the corner after a devastating year, this attack on SMEs is launched. This attack is potentially even more damaging because SMEs tend not to have such a robust security attitude, allowing threat actors to prey on the weak and generate strong revenue streams. “
What is being done
The White House announced late on Sunday that it would assemble a working group to investigate the scope of the hack. This answer However, this may be slowed down by the fact that the Biden administration is already juggling a response to the SolarWinds hack (the White House is currently considering covert cyber operations and sanctions against Russia for its alleged role in the attacks).
As mentioned above, Microsoft has released patches for the vulnerabilities, but these patches have had some issues. On Thursday, a Microsoft spokesperson noted that in some cases the patches seem to work, but don’t actually fix the vulnerability. A complete failure of that problem can be found on Microsoft’s website.
Organizations have been warned not to just patch vulnerabilities but must also investigate whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update of his Security Scanner Tool (MSERT) that can help determine if web shells are deployed against Exchange servers. MSERT is an anti-malware tool that searches, identifies and removes malware on a system.
Other than propsup defense and inspection systems for indications of compromise, there may not be much that can be done at this point. As with SolarWinds, Americans will likely just have to wait and see. It will be sure to take the time to understand the extent of the damage.