Microsoft announced this week that another of its email products, Exchange, had compromised through a hacking campaign. This recent hack is actually completely unrelated to “SolarWinds”, in which Microsoft also played an external role.
A state-sponsored threat actor from China called “HAFNIUM” exploits many zero-defects worldwide on-premises Microsoft Exchange servers in an apparent effort to steal data. Exchange essentially works with mail clients such as Microsoft Office, ensuring that updates are synchronized across devices. It is a very widely used product to say the least. While Microsoft has tried to reduce the potential scope of this hack (it is said to be “limited and targeted in nature”), it seems that the evaluation is really, really wrong.
The White House is among several parties to disagree with the “limited and targeted” assessment, which on Friday said they were “concerned” about the extent of the attack. During a press conference, Biden administration spokesman Jane Saki said:
Everyone is running these servers – government, private sector, academics – there needs to be work now to patch them. We are concerned that there are a significant number of victims and are working with our partners to understand the scope of this … Network owners also need to consider whether they have already been compromised and They should take appropriate steps immediately. The Cyberspace and Infrastructure Security Agency issued an emergency directive to the agencies, and we are now closely watching the next steps we need to take. It is still evolving. We urge network operators to take this very seriously.
In fact, CISA took the unusual step on Wednesday, stating that all federal agencies patched Exchange servers if they were in use: “CISA has determined that this exploitation of Microsoft Exchange on-premises products is limited to federal citizens. Executive branch becomes an unacceptable risk for agencies and requires emergency action, ”the agency reported, giving agencies until Friday afternoon to patch related weaknesses.
All this concern may be due to some claims which may amount to thousands of parties affected by the hack. Indeed, KrebsOnSecurity claimed on Friday that “at least 30,000” US organizations were hacked into Exchange Server via newly discovered flaws, and possibly hundreds of thousands of servers worldwide were hacked as a result of the campaign . According to an anonymous source familiar with the government’s response efforts, “20,000 American organizations” have compromised vulnerabilities.
Jake Sullivan, who serves as President Biden’s National Security Advisor, clarified via Twitter that the administration was concerned.
Former CISA director Chris Krebs said on Friday that organizations that had their servers exposed to the Internet during a specific timeframe should have compromised the hacking operation.
A more on-the-ground perspective of the hack was provided by the security firm Huntress, which released a report on Wednesday detailing the extent to which they looked at websells deployed against unmatched Microsoft servers. :
Currently, we have identified 176 servers from our partners that have received the webshell payload from update 1 (below). These companies do not align perfectly with Microsoft’s guidance as some individuals are small hotels, an ice cream company, a kitchen appliance manufacture, many senior citizen communities, and other “less than sexy” mid-market businesses. Along with this, we have also seen many city and county government victims, healthcare providers, banks / financial institutions and many residential electricity providers.