Last week, Microsoft announced that the local version of your email and calendar product widely used Exchange had several previously unrevealed security flaws. These flaws, the company said, were used by foreign threat actors to attack networks of U.S. companies and governments, primarily to steal big data from email. Since then, the main question in everyone’s mind has been: to what extent is it so bad?
The short answer is: Itit’s pretty bad
So far, descriptors as “huge madman“,”astronomical“I”unusually aggressive”He seems to be right about money. As a result of Exchange vulnerabilities, tens of thousands of U.S.-based entities are likely to have implanted malicious backdoors into their systems. Anonymous sources close to the investigation have repeatedly told the media that somewhere about 30,000 U.S. organizations have been compromised as a result of security flaws (if correct, these figures officially offer SolarWinds, prompting the commitment of some 18,000 entities nationwide and nine federal agencies, according to the White House ). The number of entities involved worldwide could be much greater. A source he recently told Bloomberg that there are “at least 60,000 known victims worldwide.
Even more problematically, some researchers have said that since the public disclosure of Exchange vulnerabilities, it appears that attacks on the product have accelerated. Anton Ivanov, a Threat investigation specialist Kaspersky said in an email that his team has experienced an increase in activity over the past week.
“From the beginning, we predicted that attempts to exploit these vulnerabilities would increase rapidly, and this is exactly what we are seeing now: so far we have detected these attacks in more than a hundred countries essentially in all parts of the world.” Ivanov told Gizmodo. “While the initial attacks may have been targeted, there is no reason why actors should not try their luck by essentially attacking any organization that manages a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks and therefore organizations should take protective measures as soon as possible. “
G / O Media may receive a commission
How are the attacks going?
Microsoft Exchange Server comes in two formats, which has caused some confusion about which systems are at risk: there is a local product and a product in the software cloud as a service. The cloud product, Exchange Online, is said to be unaffected by security flaws. As stated above, it is the local products that are being exploited. Other Microsoft email products are not believed to be vulnerable. How CISA has said, “It is not currently known that the vulnerabilities or exploited activity identified affect Microsoft 365 or Azure Cloud deployments.”
There are four vulnerabilities on local Exchange servers which are actively exploited (see: here, here, here, i here). Three others associated with security vulnerabilities exist, however say the authorities they have not yet seen active exploitation (see: here, here, i here.) Patches can be found on the Microsoft website, however, as we will discuss in more detail later, there have been some issues with proper deployment.
So far, Microsoft has mainly blamed a threatening actor called “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group, its modus operandi is to exploit security flaws to deploy web interpreters, malicious scripts that can act as gateways to systems. These web interpreters allow hackers to gain remote access to servers, and then filter out large chunks of email data, including entire inboxes. The goal of HAFNIUM would seem to be to gather intelligence. Although the group is believed to be headquartered in China, the Chinese government has denied any responsibility.
However, security researchers say it is almost certain that other actors in the threats are also involved in the exploitation of vulnerabilities. Security firm Red Canary reported over the weekend that it had observed several clusters of activities targeted at Exchange servers and that organizations should not assume that HAFNIUM necessarily needs them: it could be someone else.. “According to our visibility and that of Microsoft researchers, FireEye and others, there are at least five different activity groups that seem to exploit the vulnerabilities,” the Red Canary researcher said. Katie Nickels on Saturday.
Who is being beaten
Due to the widespread use of Exchange, there are many different types of entities at risk. Some large organizations, including the European Banking Authority“They have already announced breaches.” It is not yet known if the U.S. government has been affected, although many agencies—including the Pentagon—They are going through their own networks to find out if they have been engaged.
Security researchers have expressed special concern for small businesses entities – specifically city and county governments and small and medium-sized enterprises — which they say are most at risk. In North Dakota, the state government recently admitted who had been targeted by HAFNIUM and who was investigating whether Chinese hackers had stolen data.
Lior Div, CEO of security firm Cybereason, said smaller companies were at risk of being compromised by the campaigns. Div stressed the potential impact this hack could have on local economies in case the the attacks are more destructive than invasive:
“The latest assault on Microsoft Exchange is 1,000 times more devastating [than SolarWinds] because Chinese attackers have targeted SMEs [small and medium size enterprises], the blood of the US economy and the engine of the world economy, “Div said in an email.” SMEs were hardest hit by the COVID-19 pandemic, with millions of businesses closed in And just as we start to turn the corner after a devastating year, this attack on SMEs is set in motion.This attack can be even more damaging because SMEs don’t usually have such a robust security stance, which which allows threatening actors to take advantage of the weak and generate strong revenue streams in this way ”.
What is done?
The White House announced last Sunday which would constitute a working group to investigate the scope of the hack. This answer However, it may be slowed down by the fact that the Biden administration is already juggling the response to SolarWinds hacking (the White House is currently studying cyber operations and sanctions against Russia for its alleged role in the attacks).
As noted above, Microsoft has issued patches for the vulnerabilities, but these patches have had some issues. On Thursday, a Microsoft spokesman noted that in some cases the patches would appear to work, but would not actually fix the vulnerability. A complete failure of this number can be found on the Microsoft website.
Organizations have been warned not only to correct vulnerabilities but you should also study if they have already been engaged. Microsoft has announced this resources to help. That issued an update of yours Security Scanner Tool (MSERT) which can help identify whether web interpreters have been deployed on Exchange servers. MSERT is an antimalware tool that searches for, identifies, and removes malware from a system.
Apart from propping upup defenses and inspection systems to find signs of compromise, there may not be a lot of things that can be done right now. As with SolarWinds, Americans will probably just have to sit back and wait. Is going to Definitely take the time to understand the extent of the damage