Cyber security responses work non-stop to strengthen networks affected by last week’s hack of Microsoft’s Exchange email service – an attack that affected hundreds of thousands of organizations around the world.
On Friday, the White House urged victims to install patch systems and stressed the urgency: the window for updating systems could be measured in “hours, not days,” a senior government official said.
“This is a huge hack,” said Christopher Krebs, former director of the US Cyber Security and Infrastructure Agency (CISA). posted to Twitter last week.
The results of the hack are still being measured. President Joe Biden was briefed on the attack and spoke with leaders from India, Japan and Australia at a summit on Friday, National Security Adviser Jake Sullivan said. The National Security Council convened a government task force with several agencies to address the massive violation.
The breach follows last year’s Russia-related hack, which used SolarWinds software to spread a virus across 18,000 government and private computer networks.
Nathan Ellgren / AP
“Solarwinds it was bad. But the mass hacking that happens here is literally the biggest hack I’ve seen in my fifteen years, “said David Kennedy, CEO of cybersecurity firm TrustedSec.” In this specific case, there was no rhyme or reason for who [attackers] hacking. It has literally hacked everyone you can in this short period of time and caused as much pandemonium and chaos as possible. “
Here’s what you need to know about running Microsoft Exchange:
When did the attack start?
Hackers began stealthily targeting Exchange servers “in early January,” according to cybersecurity firm Volexity, which Microsoft is granting to identify initial exploits.
According to Microsoft Vice President Tom Burt, hackers first gained access to an Exchange server either with stolen passwords or using previously undiscovered vulnerabilities used to “disguise themselves as someone who should have access.” Using web shells, hackers controlled servers by remote access – operated from private servers in the US – to steal data from the victim’s network.
Who is behind the attack?
Microsoft has identified a group in China, known as “Hafnium”, as the main player behind the initial attacks.
The Hafnium Group has historically targeted “infectious disease researchers, law firms, higher education institutions, defense contractors, political think tanks and NGOs,” Burt wrote in a post on the company’s blog.
Omar Marques / SOPA Images / Sipa USA via AP Images
How did Microsoft respond?
Microsoft made the vulnerabilities public on March 2 and released “patches” for several versions of Exchange. While Microsoft usually releases updates on the second Tuesday of each month – known as “Patch Tuesday” – its announcement came on the first Tuesday of the month, an indication of urgency.
Days later, the company also took the unusual step of releasing security patches for outdated versions of Exchange Server.
A Microsoft spokesman told CBS News that the company works closely with CISA, other government agencies and security companies. In a statement to CBS News last week, the company said: “The best protection is to apply updates as soon as possible to all affected systems. We continue to help clients by providing additional investigation and mitigation guidance. Affected customers should contact our support teams for additional help and resources. ”
How did the attack evolve?
Experts say it is common for hackers to intensify an attack immediately before a fix, but that the pace was much faster in this case. “Once a patch is imminent, [hackers] could lead to wider exploitation because there is this “use it or lose it” factor, said Ben Read, the director of threat analysis at cybersecurity company Mandiant.
But in late February, just days before Microsoft released its security patch, security researchers saw a second automated wave of attacks targeting victims in industry.
“They were very aggressive, mostly hacking everyone,” Kennedy said. Hackers have planted backdoors in systems known as “web shells”, launching attacks on organizations “without rhyme or motive”. Kennedy added: “I haven’t seen this in China in the past.”
Microsoft said Friday that it is investigating whether the attackers were informed that a patch was imminent. The internal probe focuses on “what could have caused the increase in malicious activity” at the end of February, but investigators have not yet reached conclusions. “We have not seen any indication of a leak from Microsoft related to this attack,” a Microsoft spokesman told CBS News.
What did the hackers want?
The purpose of the hackers is unclear. “Tens of thousands of targets, most of which have no information value,” Read said. “They’re just small towns and local businesses. Their information probably has no value to the Chinese government.” Read called the “level of mass exploitation” of casual spectators a “very rare” show of strength.
And what began as a hack led by Chinese hackers soon sparked outrage from criminal gangs in other countries, including Russia.
At least 10 criminal spy groups have exploited flaws in the Exchange Server e-mail program around the world, antivirus company ESET said in a blog post on Wednesday.
Who was targeted?
Cybersecurity experts tell CBS News that tens of thousands of private and public entities in the United States have been affected. “Initially, early estimates were 30,000 people were hacked. We now see a much larger number,” Kennedy said. “Globally, it’s certainly in the hundreds of thousands of servers that have been broken into.”
The list of victims around the world continues to grow, including schools, hospitals, cities and pharmacies. Cyber security firm CyberEye identified “a number of affected victims, including US retailers, local governments, a university and an engineering firm” in a blog post.
The European Banking Authority, the EU’s banking regulator, has announced that it has been hit.
The attack was largely removed by Fortune-500 companies and large organizations that migrated their servers to Microsoft Exchange Online – Microsoft’s cloud-based email and calendar service. But the large-scale attack will prove painful for smaller companies running Microsoft Exchange on their local servers and can least afford state-of-the-art security.
“By far the most worrying victims are small and medium-sized businesses that don’t follow the security news every day, who may not be aware that this massive patch exists,” said Katie Nickels, chief information officer Red Canary cyber security. CBS news. She added that the notification of the victim presented a “huge challenge”, given the large number of organizations affected. “The thing that worries me the most is everyone we don’t see,” she said.
Has the federal government been violated?
Officials have not confirmed the breach of any federal agency, Eric Goldstein, assistant chief executive of CISA’s cybersecurity division, told lawmakers last week. “At this time, there are no federal civil agencies that can be confirmed to be compromised by this campaign.”
But National Security Adviser Jake Sullivan said Friday that the federal government is “still trying to determine the purpose and extent” of the hack.
The Cybersecurity and Infrastructure Agency (CISA) said the breach “poses an unacceptable risk to the agencies of the Federal Civil Executive” and issued an emergency directive on March 2 requiring all agencies to immediately implement a patch or disconnect. from Exchange Server, if affected.
What is the risk?
Cyber security firms say they have begun to notice hackers stealing passwords from networks and installing malware on cryptocurrency mines on servers.
And Microsoft said in a late tweet On Thursday, he detected a new strain of “ransomware” – a kind of malicious software designed to block access to a computer until the victim pays a sum of money.
While companies can assume that their system is repaired once they install the Microsoft security patch, the emergency update does not expel attackers from servers, leaving already breached organizations susceptible to further exploitation.
“There are also a lot of concerns now that China will sell these accounts” to bad actors, including “ransomware perpetrators to cause as much damage as possible,” Kennedy said. “So right now is a very critical time for us.”
Is this connected to Solarwinds?
The latest attack is not related to last year’s SolarWinds breach, although the timing of two consecutive and massive cyber hacks has strained the ability to respond.
“The big impact on the industry is the timing,” Nickels said. “We have been in a pandemic for a year. People are working remotely and are exhausted and stressed.”
U.S. officials told CBS News that while the SolarWinds hack has several implications for national security, given that hackers in that attack accessed nine federal agencies, the Microsoft attack is more widespread.
“This is definitely higher than solar winds,” Kennedy said. “While [SolarWinds] it was bad, it didn’t hit close to the width of the systems here. “
“This hack is much noisier and much easier to detect, but the scale is what makes this so worrying,” Nickels said.
Senior White House administration officials told reporters on Friday that the Biden administration would announce executive action following the SolarWinds attack. The White House is also revealing a new cyber executive order in the “next few weeks,” which includes a proposal to assign letter-quality cyber security ratings to software vendors used by the federal government.
It remains unclear whether the future cyber command will also address the risks posed by the latest Microsoft Exchange hack.
Both Russian and Chinese officials have denied responsibility. Last week, Foreign Ministry spokesman Wang Wenbin said China “strongly opposes and combats cyber attacks and cyber theft in all its forms.”
Margaret Brennan contributed to this report.