Microsoft’s emergency security patch a few days ago to fix Microsoft Exchange Server email vulnerabilities didn’t deter the hacking community it was exploiting.
Was done Find On four vulnerabilities in the Microsoft Exchange Server program, which led to the email penetration of more than 30,000 US government and business organizations.
The Chinese state-sponsored group, called Hafnium, ramped up its campaign and automated its campaign after the patch was released.
In the United States, the group has infiltrated at least 30,000 organizations that use Microsoft Exchange Server email, including police departments, hospitals, local governments, banks, nonprofits, and telecom service providers.
While the worldwide casualty toll is reported to be in the hundreds of thousands, everyone who runs locally hosted Outlook Web Access that has not been patched for a few days has been attacked.
“Thousands of servers are hacked every hour around the world,” said a former national security official.
When Microsoft announced the correction, it took credit for security firm Volexity for alerting it to Hafnium’s activities.
Even organizations that patched their servers on the day the security update was released might still be hacked, said Steven Adair, president of Volexity.
Moreover, the patch only fixes vulnerabilities in Exchange Server, and those who were hacked still have to remove the back door that the group planted in their systems.
Hafnium exploits the flaws to implant a malicious, web-like interface into its victims’ servers, giving it administrative access that it can use to steal information.
The Volexity chief and other security experts are concerned that hackers may install additional rear doors as victims work to remove existing ones.
Microsoft has made it clear from the start that these vulnerabilities have nothing to do with SolarWinds, however, Hafnium’s activities may dwarf SolarWinds attacks when it comes to casualty counts.
Authorities believe that about 18,000 entities have been affected by the SolarWinds breach, as this was the number of customers who downloaded the malicious software update.
Hafnium’s activities focus on small and medium enterprises, as SolarWinds hackers have infiltrated large US tech giants and government agencies.
Microsoft said it is working closely with the US Cybersecurity and Infrastructure Security Agency, along with other government agencies and security companies, to provide customers with additional investigation and mitigation guidance.
So what do you do now? (1) patch (if you haven’t already), (2) assume you’re owned, look for activity, (3) if you aren’t capable of hunting or can’t find a team to help, disconnect & rebuild , (4) move to the cloud, (5) pour one out for IR teams, they’ve had a rough year (s?).
– Chris Krebs (@C_C_Krebs) March 6, 2021