Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves of email data. Since then, the big question on everybody’s mind has been: Just how bad is this?
So far, hack descriptors such as “crazy huge,” “astronomical,” and “unusually aggressive” seem to be right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of U.S.-based entities have had malicious backdoors implanted in their systems. Anonymous sources close to the Microsoft investigation have repeatedly told press outlets that somewhere around 30,000 American organizations have been compromised as a result of the security flaws (if correct, these numbers officially dwarf SolarWinds, which led to the compromise of about 18,000 entities domestically and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much larger. A source recently told Bloomberg that there are “at least 60,000 known victims globally.”
Even more problematically, some researchers have said that, since the public disclosure of the Exchange vulnerabilities, it would appear that attacks on the product have only accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an uptick in activity over the past week.
“From the beginning, we anticipated that attempts to exploit these vulnerabilities would increase rapidly, and this is exactly what we are seeing now – so far we have detected such attacks in over a hundred countries essentially in every part of the world,” Ivanov told Gizmodo. “Even though the initial attacks may have been targeted, there is no reason for actors to not try their luck by attacking essentially any organization that runs a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks, and, therefore, organizations need to take protective measures as soon as possible.”
Microsoft Exchange Server comes in two formats, which has led to some confusion about what systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by the security flaws. As previously stated, it is the on-premises products that are being exploited. Other Microsoft email products are not thought to be vulnerable. As CISA has said, “neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.”
There are four vulnerabilities in on-premises Exchange Servers that are actively being exploited (see: here, here, here, and here). Three other security-associated vulnerabilities exist, but authorities say these have not seen active exploitation of these yet (see: here, here, and here.) Patches can be found at Microsoft’s website, though, as we’ll go over in more detail later, there have been some issues with proper deployment.
So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group whose modus operandi involves exploiting the security flaws to deploy web shells—malicious scripts that can act as backdoors into systems. These web shells allow the hackers to gain remote access to servers, then exfiltrate large tranches of email data—including entire inboxes. The goal of HAFNIUM would appear to be intelligence gathering. Though the group is believed to be based in China, the Chinese government has denied any responsibility.
However, security researchers say it is almost certain that other threat actors are also involved in the exploitation of the vulnerabilities. Security firm Red Canary reported over the weekend that they had observed multiple activity clusters targeting Exchange servers and that organizations shouldn’t assume that they are necessarily being targeted by HAFNIUM—it could be someone else. “Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.
Due to the widespread use of Exchange, many different types of entities are at-risk. Some large organizations—including the European Banking Authority—have already announced breaches. There is no word yet on whether the U.S. government has been affected, though numerous agencies—including the Pentagon—are currently going through their own networks to investigate whether they’ve been compromised.
Security researchers have expressed particular concern for smaller-sized entities—specifically city and county governments and small and mid-sized businesses—which they say are more at risk. In North Dakota, the state government recently admitted that it had been targeted by HAFNIUM and that it was investigating whether Chinese hackers had stolen data.
Lior Div, CEO of security firm Cybereason, said that smaller businesses were particularly at risk of being compromised by the campaigns. Div stressed the potential impact this hack could have on local economies in the event that the attacks prove more destructive than invasive:
“The newest assault against Microsoft Exchange is 1,000 times more devastating [than SolarWinds] because the Chinese attackers have targeted SMEs [small and medium size enterprises], the lifeblood of the U.S. economy and the driver of the global economy,” said Div, in an email. “SMEs were the most impacted by the COVID-19 pandemic, with millions of businesses closing around the world. And just when we are starting to turn the corner after a devastating year, this attack against SMEs is launched. This attack is potentially even more damaging because SMEs typically don’t typically have as robust a security posture in place, allowing threat actors to prey on the weak and drive strong revenue streams this way.”
The White House announced late Sunday that it would be putting together a task force to investigate the extent of the hack. This response may be slowed, however, by the fact that the Biden administration is already juggling a response to the SolarWinds hack (the White House is currently mulling covert cyber operations and sanctions on Russia, for its alleged role in the attacks).
As noted above, Microsoft has issued patches for the vulnerabilities—but these patches have had some problems. On Thursday, a Microsoft spokesperson noted that, in certain cases, the patches would appear to work but wouldn’t actually fix the vulnerability. A full break-down of that issue can be found on Microsoft’s website.
Organizations have been warned that they should not only be patching vulnerabilities but should also be investigating whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update to its Safety Scanner (MSERT) tool which can help identify whether web shells have been deployed against Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.
Other than shoring-up defenses and inspecting systems for indications of compromise, there may not be a whole lot that can be done at this point. As with SolarWinds, Americans will probably just have to sit and wait. It will definitely take time to understand how extensive the damage is.