When the news arrives earlier this week, as Chinese hackers were actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they exploited could have affected countless organizations around the world. It is now becoming clear only many email servers that were hacked. Apparently, the group known as Hafnium raped so many victims that they were able to find through the global Internet, leaving behind the back doors to return to it later.
Hafnium has now taken advantage of Microsoft Exchange Server’s zero-day Outlook Web Access vulnerabilities to indiscriminately compromise no more and no less than tens of thousands of e-mail servers, according to sources familiar with the campaign’s investigation. hacking who spoke to WIRED. Intrusions, first detected by security firm Volexity, began as early as January 6, with a notable rise that began last Friday and increased earlier this week. It appears that hackers have responded to Microsoft’s patch, released Tuesday, by augmenting and automating its hacking campaign. A security investigator involved in the investigation who spoke to WIRED on condition of anonymity placed the number of hacked Exchange servers at more than 30,000 in the United States alone and in the hundreds of thousands worldwide, apparently from the same group. Independent cybersecurity journalist Brian Krebs first reported this 30,000 on Friday, citing sources who had been reported by national security officials.
“It’s massive. Absolutely massive,” a former national security official with knowledge of the investigation told WIRED. “We’re talking about thousands of committed servers per hour globally.”
At a news conference Friday afternoon, White House press secretary Jen Psaki warned anyone running the affected Exchange servers to implement Microsoft’s patch for vulnerabilities immediately. “We are concerned that there are a large number of casualties and we are working with our partners to understand the scope of this,” Psaki said in a rare case of a White House press secretary commenting on specific vulnerabilities in cybersecurity. “Network owners should also consider whether they have already been committed and take appropriate action immediately.” Those White House tips echoed one tweet from Former Cybersecurity and Infrastructure Agency director Chris Krebs on Thursday night advised everyone to have an Exchange server exposed to “make a commitment” and begin incident response measures to remove access from hackers.
Affected networks, which likely include small and medium-sized business organizations more than large companies that tend to use cloud-based email systems, appear to have been hacked indiscriminately using automated scanning. Hackers installed a “web shell”, a web-based remote gateway access point, accessible to remote, Exchange servers that exploded, allowing them to recognize to target machines and potentially move to other computers on the network.
This means that only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by Chinese hackers, according to Volexity founder Steven Adair. However, any organization that does not bother to remove the backdoor from hackers remains compromised and hackers could re-enter their networks to steal data or cause chaos until the web shell is removed. “A huge, massive number of organizations are taking this starting point,” Adair says. “It’s a clock bomb that can be used against them at any time.”
While the vast majority of intrusions appear to consist solely of these web shells, the “astronomical” scale of these global commitments is uniquely disturbing, a security researcher who participated in the investigation told WIRED. Committed small and medium-sized organizations include local government agencies, police, hospitals, Covid response, energy, transportation, airports and prisons. “China only owned the world, or at least everyone with Outlook Web Access,” the researcher said. “When was the last time someone was so daring as to hit everyone? “