Ongoing & enormous Microsoft Exchange server hack hits 30,000 US groups
The Hafnium hacking group in China has allegedly hacked at least 30,000 organizations in the United States using Microsoft Exchange Server, with the group said to have increased its activity in the wake of the hack's initial reports.
On Wednesday, Microsoft disclosed evidence that "Hafnium," a Chinese hacking group, was attacking servers in the United States and around the world using Microsoft Exchange Server. Microsoft also released emergency security patches to plug four security holes affecting Exchange Server version 2013 to 2019, which were used by the group.
By Saturday, hints of the extent of the hacking spree indicated it was wide-ranging and major in scale.
According to a source of Reuters on Friday, the attack had affected more than 20,000 US organizations. However, two anonymous cybersecurity experts who briefed US national security advisors on the attack told KrebsOnSecurity the number is far higher, in excess of 30,000 organizations.
Furthermore, despite the release of patches, the experts claim the group have stepped up their attacks, in a bid to gain access to unpatched Exchange servers. On a global scale, the attack is said to have affected "hundreds of thousands" of servers.
While unconfirmed, it appears that the mass hack is at a larger scale than that of SolarWinds. It is believed more than 18,000 organizations could have been affected by that network management software hack.
Even in the event organizations applied the patch, there is a chance they may still be affected. As part of the hack, the group leaves a "web shell" installed, a hacking tool accessible from a browser that provides administrative access to servers.
Organizations that apply the patches can prevent the hack from occurring, but the web shell could still be present on the system if they were hacked previously.
It is claimed victims still running the web shell include thousands of U.S. entities, including financial institutions, charities and non-profits, and the operations of emergency services.
"Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server," said security firm Volexity president Steven Adair. "The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised."
The scale of the hacks has led to the US Cybersecurity & Infrastructure Security Agency (CISA) to issue an emergency directive ordering federal departments and agencies to update their Microsoft Exchange servers or take the servers offline. White House press secretary has also warned the vulnerabilities "could have far-reaching impacts, with a fear there could be a "large number of victims."
On Wednesday, Microsoft disclosed evidence that "Hafnium," a Chinese hacking group, was attacking servers in the United States and around the world using Microsoft Exchange Server. Microsoft also released emergency security patches to plug four security holes affecting Exchange Server version 2013 to 2019, which were used by the group.
By Saturday, hints of the extent of the hacking spree indicated it was wide-ranging and major in scale.
According to a source of Reuters on Friday, the attack had affected more than 20,000 US organizations. However, two anonymous cybersecurity experts who briefed US national security advisors on the attack told KrebsOnSecurity the number is far higher, in excess of 30,000 organizations.
Furthermore, despite the release of patches, the experts claim the group have stepped up their attacks, in a bid to gain access to unpatched Exchange servers. On a global scale, the attack is said to have affected "hundreds of thousands" of servers.
While unconfirmed, it appears that the mass hack is at a larger scale than that of SolarWinds. It is believed more than 18,000 organizations could have been affected by that network management software hack.
Even in the event organizations applied the patch, there is a chance they may still be affected. As part of the hack, the group leaves a "web shell" installed, a hacking tool accessible from a browser that provides administrative access to servers.
Organizations that apply the patches can prevent the hack from occurring, but the web shell could still be present on the system if they were hacked previously.
It is claimed victims still running the web shell include thousands of U.S. entities, including financial institutions, charities and non-profits, and the operations of emergency services.
"Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server," said security firm Volexity president Steven Adair. "The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised."
The scale of the hacks has led to the US Cybersecurity & Infrastructure Security Agency (CISA) to issue an emergency directive ordering federal departments and agencies to update their Microsoft Exchange servers or take the servers offline. White House press secretary has also warned the vulnerabilities "could have far-reaching impacts, with a fear there could be a "large number of victims."
Comments
These communist dictatorships are desperate for western tech. The Chinese should be embarrassed of their blatant stealing. At least the Russians had a legitimate space program developed on their own.
And shame on us for being so naive.
it is a crime.
At least we did the fixes for the Y2K problems -- of course, because it was fixed, few people believe it was ever a problem -- a "fake" problem -- like all the "fake" problems the conspiracy theorists believe, while allowing the real problems to continue unabated.
If people have been hacking into systems (NSA, CIA, China, Russia) then you need to realize the reason is because the production software was a hack to begin with.
I paid some attention to this stuff when I was in academia (a long time ago). I don't know where the science is on these matters now. If there are computer programming language constructs that will ensure security, industry must be putting them into practice. Somehow I think the industry is wedded to "we've always done it like this", so are unwilling and unable to change.
One can criticize China heavily without resorting to saying how poor and sh*tty their country is and being defensive about racism, as both of you just did.
Many on these forums prefer facts to hate filled propaganda.
Funny how the hacking attack was carried out from U.S. servers -- but we, without evidence, blame the Chinese military.