Fri. Nov 18th, 2022

The attack has been ongoing since January
Illustration by Alex Castro / The Verge
Four exploits found in Microsofts Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. Wiredis also reporting tens of thousands of email servers hacked. The exploits have been patched by Microsoft, but security experts talking to Krebs say that the detection and cleanup process will be a massive effort for the thousands of state and city governments, fire and police departments, school districts, financial institutions, and other organizations that were affected.
According to Microsoft, the vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.
Krebs and Wiredreport that the attack was carried out by Hafnium, a Chinese hacking group. While Microsoft hasnt spoken to the scale of the attack, it also points to the same group as having exploited the vulnerabilities, saying that it has high confidence that the group is state-sponsored.
According to KrebsOnSecurity, the attack has been ongoing since January 6th (the day of the riot), but ramped up in late February. Microsoft released its patches on March 2nd, which means that the attackers had almost two months to carry out their operations. The president of cyber security firm Volexity, which discovered the attack, told Krebs that if youre running Exchange and you havent patched this yet, theres a very high chance that your organization is already compromised.
Both the White House National Security Advisor, Jake Sullivan, and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs (no relation to KrebsOnSecurity) have tweeted about the severity of the incident.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, youre now in incident response mode.
Chris Krebs (@C_C_Krebs) March 5, 2021
Microsoft has released several security updates to fix the vulnerabilities, and suggests that they be installed immediately. It is worth noting that, if your organization uses Exchange Online, it will not have been affected the exploit was only present on self-hosted servers running Exchange Server 2013, 2016, or 2019.
While a large-scale attack, likely carried out by a state-run organization may sound familiar, Microsoft is clear that the attacks are in no way connected to the SolarWinds attacks that compromised US federal government agencies and companies last year.
Its likely that there are still details to come about this hack so far, there hasnt been an official list of organizations that have been compromised, just a vague picture of the large scale and high-severity of the attack.
A Microsoft spokesperson said that the company is working closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers, and that [t]he best protection is to apply updates as soon as possible across all impacted systems.