Hackers are always on the move to find exploits. And when they find one, they will do whatever they can to get in, and steal.
According to a report from KrebsOnSecurity, four exploits have been found on Microsoft’s Exchange Server software, which reportedly led to over 30,000 U.S. governmental and commercial organizations having their emails hacked.
Microsoft also explained this on its own blog post, saying that the vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware to create backdoors, which might have let them to return to the compromised servers at a later time.
The attack has been ongoing since January 6th, and ramped up in late February.
While Microsoft has patched the bugs, the security experts at the cybersecurity firm said that the detection and cleanup process will be a massive, considering that targets included thousands of state and city governments, fire and police departments, school districts, financial institutions, and other organizations.
It was said the actor behind the campaign, was Chinese state-sponsored hacking group called Hafnium.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
According to a tweet from Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, responding to a tweet from White House National Security Advisor Jake Sullivan, it is said that the campaign is a "real deal," considering its scale.
This news about the campaign first hit the news about a week earlier, when it was reported that Chinese hackers were actively targeting Microsoft Exchange servers, by exploiting zero-day vulnerabilities.
It's only at this time that researchers found the scale of the campaign, as they know how many servers that have been exactly targeted.
It's reported that Hafnium's activities was first spotted by security firm Volexity.
Its founder, Steven Adair, said that any organization that doesn't remove the hackers' backdoor will remains compromised, because the hackers could re-enter their networks to steal data or cause more damage until the web shell is removed.
"A massive, massive number of organizations are getting that initial foothold," says Adair. "It's a ticking time bomb that can be used against them at any point in time."
CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IOC detection tool to help determine compromise. https://t.co/khgCR2LAs0. #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) March 6, 2021
In a press conference, White House press secretary Jen Psaki warned anyone running the affected Exchange servers to quickly implement Microsoft's patch for rid the vulnerabilities.
"Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps."
Critical vulnerabilities in Microsoft Exchange on-premise products could enable an attacker to gain control of an entire enterprise network.
We issued Emergency Directive 21-02 to mitigate risk: https://t.co/I0MLDGjw61 (1/4) pic.twitter.com/RAWLGkwoG1
— Cybersecurity and Infrastructure Security Agency (@CISAgov) March 5, 2021
It should be noted that a White House press secretary commenting on specific cybersecurity issues is a rare instance.
And CISA, which is the U.S.’s primary defensive cybersecurity agency, is also not known to actively demand the entire U.S. government take protective steps to protect its cybersecurity.
"We are encouraged that many organizations are voluntarily sharing data with the world, among each other and with government institutions committed to defense. We’re grateful to researchers at Volexity and Dubex who notified us about aspects of this new Hafnium activity and worked with us to address it in a responsible way," said Microsoft in a separate blog post.
It should also be noted that the massive leak came to light, not long after Russian hackers have allegedly compromised the IT management tools from Solar Winds, which were used by some 18,000 organizations. That hacking campaign successfully breached at least half a dozen U.S. federal agencies.