Last week, Microsoft announced that the local version of the widely used e-mail and calendar products exchange had several previously undisclosed security flaws. These defects, the company said, have been used by foreign threat actors to enter the networks of US companies and governments, primarily to steal numerous e-mail data. Since then, the main question in everyone’s mind has been: how bad is that?
The short answer is: Itit’s pretty bad
So far, descriptors ca “crazy huge, ”„astronomical,” and “unusually aggressive“They seem to be right about money. As a result of Exchange vulnerabilities, tens of thousands of US-based entities are likely to have malicious backdoor systems implanted in their systems. Anonymous sources close to the investigation have repeatedly told the media that somewhere around 30,000 US organizations have been compromised due to security shortcomings (if correct, these figures are officially dwarfed SolarWinds, which has led to the compromise of about 18,000 internal entities and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much higher. A source Bloomberg said recently that there are “at least 60,000 known victims globally.
Even more problematic, some researchers have said that since the public disclosure of Exchange vulnerabilities, it appears that attacks on the product have accelerated. Anton Ivanov, a Kaspersky’s threat investigation specialist said in an email that his team had seen an increase in activity in the past week.
“From the beginning, we anticipated that attempts to exploit these vulnerabilities would increase rapidly, and this is exactly what we see now – so far we have detected such attacks in over a hundred countries, essentially in every part of the world.” Ivanov told Gizmodo. “Even if the initial attacks could have been targeted, there is no reason why the actors should not try their luck by essentially attacking any organization running a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks, and therefore organizations need to take protective measures as soon as possible. ”
G / O Media may receive a commission
How do the attacks happen?
Microsoft Exchange Server comes in two formats, which has led to some confusion about which systems are at risk: there is a local product and a software-as-a-service cloud product. It is said that the cloud product, Exchange Online, is not affected by security flaws. As mentioned above, local products are exploited. Other e-mail products are not believed to be vulnerable. As CISA said, “Neither the vulnerabilities nor the identified operating activity are currently known to affect Microsoft 365 or Azure Cloud implementations.”
There are four vulnerabilities in local Exchange servers which are actively exploited (see: Here, Here, Here, and Here). Three others associated with security vulnerabilities exist, but say the authorities they have not yet seen their active exploitation (see: Here, Here, and Here.) Patches can be found on the Microsoft websitehowever, as we will go into more detail later, there were some issues with the correct implementation.
So far, Microsoft has blamed a threat actor called “HAFNIUM” for Exchange intrusions. HAFNIUM is said to be a state-sponsored group whose modus operandi involves exploiting security flaws to implement web shells – malicious scripts that can act as backdoors in systems. These web shells allow hackers to gain remote access to servers, and then filter out large chunks of email data – including entire inboxes. The purpose of HAFNIUM seems to be to gather information. Although the group is believed to be based in China, the Chinese government has denied any responsibility.
However, security researchers say it is almost certain that other threat actors are also involved in exploitation of vulnerabilities. Security firm Red Canary reported over the weekend that they noticed several clusters of activity targeting Exchange servers and that organizations should not assume that they are necessarily targeted by HAFNIUM – it could be someone else. “Based on our visibility and that of researchers at Microsoft, FireEye and others, there are at least 5 different business clusters that appear to exploit vulnerabilities,” said Red Canary researcher Katie Nickels Saturday.
Who is hit
Due to the widespread use of Exchange, many different types of entities are at risk. Some large organizations – inclusive European Banking Authority“They’ve already announced violations.” It is not yet known if the US government was affected, although many agencies –including the Pentagon—Currently pull their own networks to investigate whether they have been compromised.
Security researchers have expressed particular concern about the smaller size entities – specifically city and county governments and small and medium-sized enterprises – which I say are more at risk. In North Dakota, the state government recently admitted that he was targeted by HAFNIUM and that he is investigating whether Chinese hackers stole data.
Lior Div, CEO of security firm Cybereason, said smaller businesses are particularly at risk of being compromised by campaigns. Div pointed out the potential impact that this hack could have on local economies if attacks prove more destructive than invasive:
“The latest attack on Microsoft Exchange is 1,000 times more devastating [than SolarWinds] because Chinese attackers targeted SMEs [small and medium size enterprises], the blood of the life of the US economy and the engine of the global economy “, said Div, in an e-mail. “SMEs have been hardest hit by the COVID-19 pandemic, with millions of companies closing worldwide. And just as we begin to turn the corner after a devastating year, this attack on SMEs is launched. This attack is potentially even more damaging, as SMEs do not usually have an equally robust security position, allowing threat actors to take advantage of the weak and thus drive strong revenue streams.
What is being done
White House announced late Sunday that he would have formed a working group to investigate the extent of the hack. This answer it may be slowed down, however, by the fact that the Biden administration is already juggling a response to the SolarWinds hack (the White House is currently analyzing cyber operations and sanctions against Russia for its alleged role in the attacks).
As mentioned above, Microsoft has released patches for vulnerabilities – but these patches have had some issues. On Thursday, a Microsoft spokesman said that in some cases, the patches seem to work, but would not actually solve the vulnerability. A complete breakdown from this issue can be found on the Microsoft website.
Organizations have been warned that they should not just fix vulnerabilities but should also investigate whether they have already been compromised. Microsoft has announced resources to help with that. This one issued an update of it Security Scan Tool (MSERT) which can help you identify if web shells have been deployed on Exchange servers. MSERT is an anti-malware tool that searches for, identifies and removes malware from a system.
Other than supportup defenses and inspection systems for compromise clues, there may not be a lot of things that can be done at this time. As with SolarWinds, Americans will probably have to sit and wait. I will definitely take the time to understand how big the damage is.