On the heels of Russia’s SolarWinds attack, China mounted an attack on Microsoft Exchange Servers. The attack left a backdoor in place for reentry, but a fix was released.
Over the last year, the world has been focused on fighting the war against COVID-19. Businesses have been forced to adjust to work-from-home processes and procedures, developing them on the fly in most cases. And all the while, those businesses have also been fighting a war against cybercrime. It’s no secret that China, Russia and the United States are in a technology race. So far, the U.S. has been able to stay ahead in most areas, but China has the lead in some, and the SolarWinds hack showed us that Russia is stealthy and patient. On the heels of that attack, it was announced last week that China mounted its own attack on Microsoft Exchange servers, leaving a backdoor in place for easy reentry when needed.
The group to blame is known as Hafnium. Hafnium located and exploited zero-day vulnerabilities in Microsoft Exchange servers’ Outlook Web Access. The vulnerability allowed the group to compromise at least tens of thousands of email servers, which they did indiscriminately. In fact, they majoritavely impacted small and medium-sized businesses. The breaches were first noticed by Volexity, a security firm, which noted the attack began as early as January 6. (It’s likely that date isn’t a coincidence, seeing as our country was wildly distracted by the attack on the Capitol.)
There has been an increase in activity with these intrusions over the last week or so. Since Microsoft released its patch, the group has been ramping up and automating their hacking campaign. This is one of those known vulnerabilities we so often talk about. Threat actors will continue to exploit known vulnerabilities because businesses are slow in applying the patches they are given for problems. Hackers know that businesses will take their time, that they are more focused on other things and therefore put security on the backburner. The problem with this attack in particular, is that while it was caught relatively early, it is thought to have already infected hundreds of thousands of servers globally. There seem to be over 30,000 infected in the U.S. alone.
“It’s massive. Absolutely massive,” one former national security official with knowledge of the investigation told WIRED. “We’re talking thousands of servers compromised per hour, globally.”
And the attacks on these servers are indiscriminate, done via automated scanning. We have talked about that in the past as well, how threat actors don’t care how big your business is. Their business is in information, that’s their form of currency, it doesn’t matter where that information comes from. Once they are inside the server, a backdoor is planted. This allows hackers into the network to find and target specific machines and move to other computers on the network. The more they move around, the more information they gather along the way.
Now, it appears that only a small portion of the affected servers worldwide are likely to be targeted, but that doesn’t mean you should ignore the problem. Any assumption should be that your breach is an incident and should be treated as such. Beginning the incident response process is the first step to re-securing your business and getting hackers out of your internal systems. With this attack, threat actors can re-enter your network to do damage or steal data or execute some heinous act at any point they decide. Volexity founder, Steven Adair, said, “A massive, massive number of organizations are getting that initial foothold. It’s a ticking time bomb that can be used against them at any point in time.”
The U.S. has now seen Russia undergo a year-long endeavor to breach government systems, eventually gaining access to seven of them. The full impact of the SolarWinds hack is yet to be determined, and we may never know the full-scale impact it does have. That one was sophisticated, we still don’t know how they got into the platform. This attack, while young, has affected vastly more machines than the SolarWinds attack. It also doesn’t seem to have a purpose as of yet, only leaving the backdoor for later use. Investigators are still trying to figure out exactly who the Hafnium hackers are, and what their goal is.
Without that information, businesses have no way to know what to prepare for in this situation, and many small and medium-sized businesses aren’t properly set up with a cybersecurity strategy. Which is why it is crucial for all businesses impacted, even if you’re not sure your business is impacted, follow the steps outlined by Microsoft to make the fix. If you don’t know how or can’t get it done for whatever reason, bring someone in to help you. These are problems you simply cannot let slide. This is the second attack of this scale in just a few months, it’s also the second security problem to not have a known target or desired outcome. Don’t wait and see what happens. If you’re concerned, the best thing to do is fix the known problem and then do a full security review to ensure your business is locked down as tightly as possible.