People responding to cybersecurity work 24 hours a day to strengthen affected networks last week’s hacking of the Microsoft Exchange email service – an attack that has affected hundreds of thousands of organizations around the world.
On Friday, the White House urged victims to patch the systems and stressed the urgency: the window to upgrade the systems could be measured in “hours, not days,” a senior administration official said.
“This is a huge, crazy pirate,” said Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Agency (CISA). he tweeted last week.
The consequences of the hack are still being measured. President Joe Biden has been briefed on the attack and discussed it with leaders from India, Japan and Australia at a summit on Friday, said Jake Sullivan, national security adviser. The National Security Council has convened a government working group of several agencies to deal with the mass non-compliance.
The breach comes after last year’s Russia-linked hacking, which took advantage of SolarWinds software to spread a virus to 18,000 government and private computer networks.
Nathan Ellgren / AP
“Solar winds it was bad. But the massive hacking that is done here is literally the biggest hacking I’ve seen in my fifteen years, “said David Kennedy, CEO of cybersecurity company TrustedSec.” In this particular case, there was no rhyme or reason for whom [attackers] they were hacking. It was literally hacking everyone who could in that short amount of time and causing as much pandemonium and chaos as possible. “
Here’s what you need to know about running Microsoft Exchange:
When did the attack start?
Hackers began sneaking into Exchange servers “in early January,” according to cybersecurity firm Volexity, which Microsoft credits for identifying initial exploits.
According to Microsoft corporate vice president Tom Burt, hackers first accessed an Exchange server with stolen passwords or by using previously undiscovered vulnerabilities that were used to “disguise themselves as someone who should to have access “. Using web interpreters, hackers controlled the servers through remote access (operated from private servers based in the United States) to steal data from the victims’ network.
Who is behind the attack?
Microsoft identified a group based in China known as “Hafnium” as the main player behind the initial attacks.
Historically, the Hafnium group has targeted “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Burt wrote in a blog post. ‘company.
Omar Marques / SOPA Images / Sipa USA using AP Images
How did Microsoft respond?
Microsoft made the vulnerabilities public on March 2 and released “patches” for several versions of Exchange. Although Microsoft releases updates on the second Tuesday of each month (known as “Patch Tuesday”), its announcement came on the first Tuesday of the month, an indication of urgency.
Days later, the company also took the unusual step of releasing security patches for obsolete versions of Exchange Server.
A Microsoft spokesman told CBS News that the company worked closely with CISA, other government agencies and security companies. In a statement to CBS News last week, the company said, “The best protection is to apply updates as soon as possible to all affected systems. We continue to help customers by providing additional guidance on research and mitigation. Affected customers should contact our support team for additional assistance and resources. ”
How did the attack evolve?
Experts say it is common for hackers to intensify an attack immediately prior to a solution, but that in this case the pace was much faster. “When a patch is imminent, [hackers] it can resort to wider exploitation because there is this “use it or lose it” factor, ”said Ben Read, director of threat analysis at cybersecurity company Mandiant.
But in late February, just days before Microsoft released its security patch, security investigators saw a second wave of automated attacks targeting victims from all sectors of the industry.
“They were very aggressive, essentially hacking everyone,” Kennedy said. Hackers planted backdoors known as “web shells” in systems, launching attacks on organizations “without rhyme or motive.” Kennedy added, “We haven’t seen it from China in the past.”
Microsoft said Friday that it is investigating whether the attackers reported that a patch was imminent. Internal investigation focuses on “what could have caused the rise in malicious activity” in late February, but investigators have yet to draw any conclusions. “We have not seen any indication of a Microsoft leak related to this attack,” a Microsoft spokesman told CBS News.
What did hackers want?
The target of hackers is unclear. “Tens of thousands of targets, most of which really have no intelligence value,” Read said. “They’re just small towns and local businesses. Their information probably has no value to the Chinese government.” Read called the “level of mass exploitation” of fortuitous spectators a “very rare” show of strength.
And what began as a hack run by Chinese hackers soon gave way to a feuding frenzy of criminal gangs from other countries, including Russia.
At least ten criminal espionage groups have exploited the flaws in the Exchange Server email program worldwide, ESET antivirus firm said Wednesday in a blog post.
Who did you sign up for?
Cybersecurity experts tell CBS News that tens of thousands of private and public entities in the United States have been affected. “Initially, the first estimates were 30,000 people hacked. Now we see a number that is much higher,” Kennedy said. “Globally, it is definitely among the hundreds of thousands of servers that were hacked.”
The list of victims worldwide continues to grow to include schools, hospitals, cities and pharmacies. Cyber security firm CyberEye identified “a number of affected victims, including U.S.-based retailers, local governments, a university and an engineering firm” in a blog post.
The European Banking Authority, the EU banking regulator, announced it had been affected.
The attack was largely avoided by Fortune-500 companies and large organizations that have migrated their servers to Microsoft Exchange Online, Microsoft’s cloud-based email and calendar service. But the widespread attack will be painful for smaller businesses running Microsoft Exchange on their local servers and at least can afford high-end security.
“The most worrying victims are, by far, small and medium-sized businesses that don’t follow the security news every day, who may not be aware that there’s this massive patch,” said Katie Nickels, director of intelligence the cybersecurity firm Red Canary. CBS News. He added that the notification of the victims has been a “huge challenge” given the large number of organizations affected. “What worries me the most is everyone we don’t see,” he said.
Has the federal government failed to comply?
Officials have not confirmed the breaches of any federal agency, lawmakers Eric Goldstein, executive director of CISA’s cybersecurity division, told lawmakers last week. “Right now, there are no federal civilian agencies that are confirmed to be committed to this campaign.”
But National Security Adviser Jake Sullivan said Friday that the federal government is “still trying to determine the scope and scale” of the hacking.
The Agency for Cybersecurity and Infrastructure Security (CISA) said the breach “poses an unacceptable risk to the agencies of the Civilian Executive Branch” and issued an emergency directive on March 2 ordering all agencies that immediately implemented a patch or disconnected from Exchange Server, if affected.
What is the risk?
Cybersecurity companies say they have begun to observe that hackers steal passwords from networks and install malicious cryptocurrency mining software on servers.
And Microsoft said in a tweeted at night On Thursday he had detected a new variety of “ransomware,” a kind of malware designed to block access to a computer until the victim pays a sum of money.
While companies can assume that their system is fixed once the Microsoft security patch is installed, the emergency update does not expel attackers from servers, leaving organizations that are already incomplete likely to be exploited. .
“There is also a lot of concern now that China will sell these accounts” to bad actors, including “ransomware perpetrators to cause as much damage as possible,” Kennedy said. “So right now it’s a very critical time for us.”
Are you connected to Solarwinds?
The latest attack is unrelated to last year’s SolarWinds breach, though the timing of two massive and consecutive cyber hacks has strained responsiveness.
“The big impact on the industry is the timing,” Nickels said. “We are in a pandemic year. People are working remotely and are exhausted and stressed.”
U.S. officials told CBS News that while the SolarWinds hack has more implications for national security, as hackers in that attack accessed nine federal agencies, Microsoft’s attack is much more extended.
“This is definitely bigger than solar winds,” Kennedy said. “While [SolarWinds] it was bad, it hardly touched the breadth of the systems here. “
“This hack is a lot noisier and a lot easier to detect, but the scale is what makes this so worrisome,” Nickels said.
Senior White House administration officials told reporters Friday that the Biden administration will announce executive action in the wake of the SolarWinds attack. The White House also unveils a new executive order on cyber in the “coming weeks,” which includes a proposal to assign quality-to-letter cybersecurity ratings to software vendors used by the federal government.
It is still unclear whether the next cyber executive order will also address the risks posed by the latest Microsoft Exchange hack.
Both Russian and Chinese officials have denied responsibility. Last week, Foreign Ministry spokesman Wang Wenbin said China “strongly opposes and fights cyberattacks and cyber theft in all its forms.”
Margaret Brennan contributed to this report.