Victims of a massive global software hack for Microsoft’s e-mail server – estimated in the tens of thousands by cybersecurity respondents – rushed on Monday to strengthen infected systems and try to reduce the chances of intruders stealing or stealing data. obstructs networks.
The White House described the hack as “an active threat” and said senior national security officials were addressing it.
The breach was discovered in early January and attributed to Chinese cyber spies targeting US political think tanks. Then, in late February, five days before Microsoft released a patch on March 2, there was an explosion of infiltrations by other intruders, making a portion of the initial breach. Victims lead the spectrum of organizations that manage e-mail servers, from mom-and-pop retailers to law firms, municipal governments, health care providers and manufacturers.
While the hack is not a type of threat to national security as the most sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, may be an existential threat to victims who did not install the patch on time and now have hackers remaining in their systems. The hack is a new challenge for the White House, which, even if it is preparing to respond to the SolarWinds violation, must now fight a formidable and very different threat from China.
“I would say it’s a serious threat to economic security, because so many small companies out there can literally destroy their business with a targeted ransomware attack,” said Dmitry Alperovitch, the former chief technical officer of the security firm. CrowdStrike cybernetics.
He blames China for the global wave of infections that began on February 26, although other researchers say it is too early to trust them. It’s a mystery how these hackers managed to break through the original breach because no one knew about it except a few researchers, Alperovitch said.
After the patch was released, a third wave of infections began, an accumulation that usually occurs in such cases, as Microsoft dominates the software market and offers a single point of attack.
Cyber security analysts trying to get a full picture of the hack said their analyzes matched the 30,000 U.S. casualties released on Friday by cybersecurity blogger Brian Krebs. Alperovitch said an estimated 250,000 victims were estimated worldwide.
Microsoft declined to say how many customers it thinks are infected.
David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.
“Anyone with Exchange installed was potentially vulnerable,” he said. “It’s not about each of them, it’s a big percentage of them.”
Katie Nickels, intelligence director at cybersecurity firm Red Canary, has warned that installing patches will not be enough to protect those already infected. “If you fix it today, this will protect you first, but if your opponents are already in your system, then you have to take care of that,” she said.
A smaller number of organizations were targeted in the initial entry by hackers who took data, stole credentials or explored inside networks and left behind universities, defense contractors, law firms and infectious disease research centers. , said the researchers. Among those Kennedy has worked with are producers concerned about the theft of intellectual property, hospitals, financial institutions and managed service providers that host multiple corporate networks.
“On a scale of one to 10, this is a 20,” Kennedy said. “It was essentially a skeleton key to opening any company that had this Microsoft product installed.”
Asked for comment, the Chinese embassy in Washington last week stressed Foreign Ministry spokesman Wang Wenbin, saying that China “strongly opposes and combats cyber attacks and cyber theft in all its forms” and warned that attributing cyber attacks should be based on evidence and not “baseless allegations”.
The hack did not affect Microsoft 365 cloud-based email and collaboration systems, favored by Fortune 500 companies and other organizations that can afford quality security. This highlights what some in the industry complain about as two classes of computing – security “has” and “doesn’t have”.
Ben Read, analysis director at Mandiant, said the cybersecurity firm had not seen anyone use the hack for financial gain, “but for those affected, time is of the essence in solving this problem.”
This is easier said than done for many victims. Many have skeletal IT staff and can’t afford an emergency cybersecurity response – not to mention complications. pandemic.
Fixing the problem is not as simple as pressing an update button on the computer screen. It requires updating the entire so-called “Active Directory” of an organization, which catalogs email users and their privileges.
“Removing the email server is not something you do easily,” said Alperovitch, who leads the nonprofit Silverado Policy Accelerator think tank.
Tony Cole of Attivo Networks said the large number of potential victims creates a perfect “smoke screen” for nationwide hackers to hide a much smaller list of intentional targets by linking already overburdened cybersecurity officials. “There are not enough incident response teams to solve all this.”
Many experts were surprised and puzzled by how the groups rushed to infect the server installations just before the Microsoft patches were released. Kennedy of TrustedSec said Microsoft took too long to release a patch, though he did not think he should have let people know about it before the patch was ready.
Steven Adair of cybersecurity company Volexity, which alerted Microsoft to the initial intrusion, described a “mass exploitation, without discrimination,” that began the weekend before the patch was released and included groups from many countries. different, (including) criminal actors ”.
The cybersecurity and infrastructure agency issued an emergency alert on piracy on Wednesday, and National Security Adviser Jake Sullivan wrote about it on Twitter the following night.
But the White House has not yet announced any specific response initiatives.