Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. Wired is also reporting “tens of thousands of email servers” hacked. The exploits have been patched by Microsoft, but security experts talking to Krebs say that the detection and cleanup process will be a massive effort for the thousands of state and city governments, fire and police departments, school districts, financial institutions, and other organizations that were affected.
According to Microsoft, the vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.
Krebs and Wired report that the attack was carried out by Hafnium, a Chinese hacking group. While Microsoft hasn’t spoken to the scale of the attack, it also points to the same group as having exploited the vulnerabilities, saying that it has “high confidence” that the group is state-sponsored.
According to KrebsOnSecurity, the attack has been ongoing since January 6th (the day of the riot), but ramped up in late February. Microsoft released its patches on March 2nd, which means that the attackers had almost two months to carry out their operations. The president of cyber security firm Volexity, which discovered the attack, told Krebs that “if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Both the White House National Security Advisor, Jake Sullivan, and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs (no relation to KrebsOnSecurity) have tweeted about the severity of the incident.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
Microsoft has released several security updates to fix the vulnerabilities, and suggests that they be installed immediately. It is worth noting that, if your organization uses Exchange Online, it will not have been affected — the exploit was only present on self-hosted servers running Exchange Server 2013, 2016, or 2019.
While a large-scale attack, likely carried out by a state-run organization may sound familiar, Microsoft is clear that the attacks are “in no way connected” to the SolarWinds attacks that compromised US federal government agencies and companies last year.
It’s likely that there are still details to come about this hack — so far, there hasn’t been an official list of organizations that have been compromised, just a vague picture of the large scale and high-severity of the attack.
A Microsoft spokesperson said that the company is “working closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers,” and that “[t]he best protection is to apply updates as soon as possible across all impacted systems.”