Microsoft announced this week that another one of its email products, Exchange, had been compromised by a hacking campaign. This recent hack is actually totally unrelated to the “SolarWinds” one, in which Microsoft has also played an outsized role.
A state-sponsored threat actor from China dubbed “HAFNIUM” is said to be exploiting a number of zero-day flaws in on-premises Microsoft Exchange servers all over the globe in an apparent effort to steal data. Exchange essentially works with mail clients like Microsoft Office, ensuring that updates to devices are synchronized. It’s a very widely used product, to say the least. While Microsoft has sought to play down the potential scope of this hack (calling it “limited and targeted” in nature), it is beginning to look like that assessment is actually really, really wrong.
Among the numerous parties to disagree with the “limited and targeted” assessment is the White House, which said Friday that they were “concerned” about the extent of the attack. During a press conference, Biden administration spokesperson Jen Psaki said:
Everyone running these servers — government, private sector, academia — needs to act now to patch them. We are concerned that there are a large number of victims and are working with our partners to understand the scope of this...Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps. The Cybersecurity and Infrastructure Security Agency issued an emergency directive to agencies, and we’re now looking closely at the next steps we need to take. It’s still developing. We urge network operators to take it very seriously...
Indeed, CISA took the unusual step Wednesday of mandating that all federal agencies patch the Exchange servers if they were in use: “CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency reported, giving agencies until noon Friday to patch related vulnerabilities.
All this concern might be due to certain claims floating around that the parties affected by the hack could number in the tens of thousands. Indeed, KrebsOnSecurity made the bold claim Friday that “at least 30,000" U.S. organizations were hacked via the newly discovered flaws in Exchange servers, and that potentially hundreds of thousands of servers worldwide were hacked as a result of the campaign. Reuters similarly reports that more than “20,000 American organizations” have been compromised by the vulnerabilities, according to an anonymous source familiar with the government’s response efforts.
Jake Sullivan, who serves as National Security Advisor to President Biden, made it clear via Twitter that the administration was alarmed:
Chris Krebs, the former director of CISA, similarly said Friday that organizations that had their server exposed to the internet during a specific time frame should just “assume” they had been compromised by the hacking campaign:
A more on-the-ground perspective of the hack was provided by security firm Huntress, which released a report Wednesday in which they detailed the extent to which they had seen webshells deployed against unpatched Microsoft servers:
Currently, we’ve identified 176 of our partners servers that have been received the webshell payload from Update 1 (below). These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other “less than sexy” mid-market businesses. With that said, we have also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers.
When questioned about the Huntress report Wednesday, Microsoft sent a brief statement our way, simply stating:
As we said in our blogs, we recommend customers update as soon as possible as we anticipate that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.