When the news broke Earlier this week, as Chinese hackers actively targeted Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they exploited would have allowed them to hit countless organizations around the world. Now it becomes clear only many email servers that they have broken. Apparently, the group known as Hafnium violated as many victims as it could find on the global Internet, leaving behind the back doors to return later.
Hafnium has now exploited the zero-day vulnerabilities in Microsoft Exchange’s Outlook Web Access servers to uncompromisingly compromise no less than tens of thousands of email servers, according to sources familiar with the hacking campaign investigation who spoke with WIRED. . The intrusions, first observed by security firm Volexity, began on January 6, with a significant increase since last Friday and an increase earlier this week. The hackers seem to have responded to the Microsoft patch, launched on Tuesday, by accelerating and automating their hacking campaign. A security researcher involved in the investigation who spoke to WIRED on condition of anonymity counted the pirated Exchange servers at over 30,000 in the US alone and hundreds of thousands worldwide, all apparently of the same group. Independent cybersecurity journalist Brian Krebs reported for the first time that 30,000 are listed on Friday, citing sources who briefed national security officials.
“It’s massive. Absolutely massive,” a former national security official with knowledge of the investigation told WIRED. “We are talking about thousands of compromised servers per hour globally.”
At a news conference Friday afternoon, White House Press Secretary Jen Psaki warned anyone running the affected Exchange servers to immediately implement the Microsoft patch for vulnerabilities. “We are concerned that there are large numbers of casualties and are working with our partners to understand the scope of this,” Psaki said in a rare case of a White House press secretary commenting on specific vulnerabilities. of cyber security. “Network owners must also consider whether they have already been compromised and should take appropriate action immediately. That advice from the White House echoed one tweet from the Former director of the Cyber Security and Infrastructure Agency, Chris Krebs, on Thursday night, advising anyone with an exposed Exchange server to “compromise” and begin incident response measures to eliminate hacker access.
Affected networks, which probably include those of small and medium-sized organizations rather than large enterprises that tend to use cloud-based e-mail systems, appear to have been hacked without discrimination by automatic scanning. The hackers planted a “web shell” – a remotely accessible, web-based back access base – on the Exchange servers they operated, allowing them to perform reconnaissance on target machines and move to other network computers.
This means that only a small number of the hundreds of thousands of pirated servers around the world are likely to be actively targeted by Chinese hackers, says Volexity founder Steven Adair. However, any organization that does not strive to eliminate hackers’ backdoors remains compromised, and hackers could re-enter their networks to steal data or wreak havoc until that web page is removed. “A massive, massive number of organizations are getting that initial position,” says Adair. “It’s a time bomb that can be used against them at any time.”
Although the vast majority of intrusions appear to have consisted only of those web shells, the “astronomical” scale of these global compromises is uniquely disturbing, a security researcher who participated in the investigation told WIRED. Small and medium-sized organizations that have been compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports and prisons. “China just owned the world – or at least everyone with Outlook Web Access,” the researcher said. “When was the last time someone was so bold that he hit everyone? “