Mail hacked by more than 30,000 organizations due to Microsoft
Microsoft's emergency security patch a few days ago to fix Microsoft Exchange Server email vulnerabilities didn't deter the hacking community it was exploiting.
Four vulnerabilities were found in the Microsoft Exchange Server program, which led to the email penetration of more than 30,000 US government and business organizations.
The Chinese state-sponsored group, called Hafnium, ramped up its campaign and automated its campaign after the patch was released.
In the United States, the group has infiltrated at least 30,000 organizations that use Microsoft Exchange Server email, including police departments, hospitals, local governments, banks, nonprofits, and telecom service providers.
While the worldwide casualty toll is reported to be in the hundreds of thousands, everyone who runs locally hosted Outlook Web Access that has not been patched for a few days has been attacked.
“Thousands of servers are hacked every hour around the world,” said a former national security official.
When Microsoft announced the correction, it took credit for security firm Volexity for alerting it to Hafnium activities.
Even organizations that patched their servers on the day the security update was released may still be hacked, said Steven Adair, president of Volexity.
Moreover, the patch only fixes vulnerabilities in Exchange Server, and those who were hacked still have to remove the back door that the group planted in their systems.
Hafnium exploits the flaws to implant a malicious, web-like interface into its victims' servers, giving it administrative access that it can use to steal information.
The Volexity chief and other security experts are concerned that hackers may install additional rear doors as victims work to remove existing ones.
Microsoft has made it clear from the start that these vulnerabilities have nothing to do with SolarWinds, however Hafnium's activities may dwarf SolarWinds attacks when it comes to casualty numbers.
Authorities believe that about 18,000 entities have been affected by the SolarWinds breach, as this was the number of customers who downloaded the malicious software update.
Hafnium's activities focus on small and medium enterprises, as SolarWinds hackers have infiltrated large US tech giants and government agencies.
Microsoft said it is working closely with the US Cybersecurity and Infrastructure Security Agency, along with other government agencies and security companies, to provide customers with additional investigation and mitigation guidance.
Thoughts on the Hafnium Exchange hack: (1) it's going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days. https://t.co/bc5yutThve
— Chris Krebs (@C_C_Krebs) March 6, 2021