Over 30,000 U.S. Organizations Hacked Through Microsoft Vulnerabilities
Reports show those affected run Web versions of Outlook and host them on their own computers instead of relying on cloud providers.
According to a new report, the number of victims of the Chinese hacking group exploiting multiple vulnerabilities in Microsoft Exchange Server could be more than 30,000.
Unlike other recent large-scale cyber attacks like the compromise of the SolarWinds Orion IT management platform, the threat actors’ victims are wide-ranging and include small businesses and local municipalities, according to security blogger and researcher Brian Krebs.
Cybersecurity experts have been scrambling to grasp the scope of this attack, which is shaping up to be even larger and more widespread than the SolarWinds attack allegedly carried out by a nation-state group linked to Russia.
Microsoft last week released emergency security updates to fix the four vulnerabilities that hackers were exploiting to spy on victims’ email and potentially steal information, and the threat group has since ramped up their attacks on servers worldwide that remain unpatched, Krebs reported.
The hackers are adept at creating ways to access the victim servers even after they’ve left, including leaving behind a web shell, a tool that can be accessed from any browser that gives attackers administrative access.
According to Krebs, two anonymous cybersecurity experts who have briefed U.S. national security advisors on the attack said the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide, with each victim system representing approximately one organization that uses Exchange to process email.
Meanwhile, Reuters also reported that the number of victims could be in the tens of thousands. The publication, citing people familiar with the U.S. government’s response, reported that the number of organizations compromised through these vulnerabilities is more than 20,000.
According to Reuters, one scan of connected devices showed only 10% of those vulnerable had installed the patches by Friday, though the number was rising. Since installing the patch doesn’t get rid of the back doors, U.S. officials are racing to determine how best to notify victims and support them.
Reuters also says all of those affected appear to run Web versions of email client Outlook and host them on their own machines instead of relying on cloud providers.
Microsoft — which calls the group HAFNIUM — and cybersecurity firm Volexity disclosed the vulnerabilities in blog posts last week. The attacks appear to have started as early as Jan. 6, when the U.S. was busy investigating the SolarWinds compromise and dealing with a riot and insurrection at the Capitol.
The vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 and are used as part of an attack chain that when used together, enable access to email accounts and installation of additional malware to facilitate long-term access to victim environments.
Microsoft has since released new mitigation guidance and a script for checking indicators of compromise.
This article originally ran in CS sister publication MyTechDecisions.com. Zachary Comeau is TD’s web editor.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!