Vulnerabilities in Microsoft Exchange Server, Reported in January, Have Enabled Breaching ‘Hundreds of Thousands’ of Organizations
Tom Burt of Microsoft:
Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium. Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.
Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
More details about these vulnerabilities can be found on the ProxyLogon website set up by Devcore, which discovered these vulnerabilities, as well as a timeline that aligns with one posted by Brian Krebs.
But we’re well past these being interesting vulnerabilities that are scary only in theory.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
Catalin Cimpanu, the Record:
The ongoing mass exploitation campaign targeting Microsoft Exchange email servers has expanded in less than a week to include attacks from multiple nation-state hacking groups and cybercrime operations alike.
Microsoft has instructions for sysadmins to verify if their Exchange server was compromised, and has released patches.
Ryan Naraine in the Security Conversations newsletter:
In my 20+ years writing about hackers and tracking advanced threats, I’ve never seen this volume of in-the-wild zero-day exploitation happening at the same time. Last week alone, we saw five 0-days exploited in the wild, including a mysterious Chrome attack and Chinese cyberspies hitting tens-of-thousands of companies globally via Microsoft Exchange server vulnerabilities.
Google’s 0-day tracker spreadsheet has so far flagged 12 in-the-wild 0day attacks in 2021 (there were 24 total last year) and I know they’re missing at least two — the Sonicwall firewall attacks and the the Accellion incident that’s also causing a world of hurt downstream.
Thumbing through that spreadsheet is informative. You will see exploits targeting software and firmware from Apple, Google, Mozilla, and Adobe — especially Adobe. But the number of vulnerabilities in Microsoft’s products that are being used in the wild stands head and shoulders above all other vendors. That is alarming but it is also unsurprising: organizations large and small use Microsoft’s productivity and server products; perhaps more importantly, these products are used by governments at all levels with no great alternatives.
My interpretation: we’ve never been this good at *detecting* in-the-wild zero-day exploitation.
Reminds me of something I heard years ago about cancer research. I am not sure where this came from, but one of the questions researchers face is how much of the rising number of cancer cases is due to more cancer, and how much can be attributed to better detection. This has stuck in my mind for years, and I think about it a lot as I hear about other trends — like this one.