The Microsoft Emergency Security Patch deployed A few days ago, fixing four zero-day vulnerabilities in Exchange Server did not deter the hacking group that exploited them. In fact, according to Krebs on security and Wired, the Chinese state-sponsored group dubbed Hafnium ramped up and automated their campaign after the patch was released. In the United States, the group has infiltrated at least 30,000 organizations using Exchange to process email, including police departments, hospitals, local governments, banks, credit unions, nonprofits and telecommunications providers. Worldwide, the number of victims is believed to be several hundred thousand.
“Almost everyone who is running self-hosted Outlook Web Access that was not patched a few days ago has been hit by a zero-day attack,” a source said. Krebs. A former national security official Wired said that thousands of servers are compromised every hour around the world. When Microsoft announced its emergency fix, it thanked security firm Volexity for informing it of Hafnium’s activities. Volexity President Steven Adair has now said that even organizations that patched their servers on the day Microsoft’s security update was released may still have been compromised.
Additionally, the patch will only fix Exchange Server vulnerabilities – those already compromised will still need to remove the backdoor that the group has implanted in their systems. Hafnium exploits the loopholes to plant “web shells” in the servers of their victims, giving them administrative access that they can use to steal information. According to KrebsAdair and other security experts are worried about the possibility of intruders installing additional backdoors as victims scramble to remove those already in place.
Microsoft made it clear from the start that these exploits had nothing to do with SolarWinds. Having said that, Hafnium’s activities “may eclipse SolarWinds attacks in terms of casualties. The authorities estimate that around 18,000 entities affected by the violation of SolarWinds, since that was the number of customers who downloaded the malicious software update. As Wired notes, however, that Hafnium’s business is focused on small and medium-sized organizations, where SolarWinds hackers have infiltrated tech giants and major US government agencies.
When asked about the situation, Microsoft said Krebs that it works closely with the United States Cybersecurity & Infrastructure Security Agency, as well as other government agencies and security companies, to provide its clients with “additional investigative and mitigation advice.” .
So what are you doing now? (1) patch (if you haven’t already), (2) assume you are possessed, look for an activity, (3) if you aren’t able to hunt or can’t find a team for yourself help, disconnect and rebuild, (4) move to the cloud, (5) pour one for the IR teams, they had a difficult year (s).
– Chris Krebs (@C_C_Krebs) March 6, 2021