It’s open season for Microsoft Exchange hackers
Massive espionage frenzy by a state sponsored Chinese hacking group hit at least 30,000 victims in the United States alone. The Exchange Server vulnerabilities exploited by the group known as Hafnium have been addressed, but the problem is far from over. Now that criminal hackers can see what Microsoft has fixed, they can reverse engineer their own exploits, opening the door to an escalation of attacks like ransomware on anyone who is still exposed.
In the week following the first publication of its fixes by Microsoft, the momentum already seems to be playing out. Analysts have seen several groups, most of them still unidentified, jump into action in recent days, with more hackers likely to come. The longer organizations take to correct, the more likely they are to run into problems.
While many organizations that get email services from Microsoft use the company’s cloud offerings, others choose to run an “on-premises” Exchange server themselves, which means they physically own and operate mail servers and manage the system. Microsoft released fixes for four vulnerabilities in its Exchange Server software last Tuesday and said in these initial warnings that the Chinese state-backed hacking group Hafnium was behind the frenzy. He also confirmed this week that the dam has not stopped.
“Microsoft continues to see many players take advantage of unpatched systems to attack organizations with on-premises Exchange Server,” the company said in a update Monday.
Later that evening, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency reaffirmed the urgent need for vulnerable organizations to take action. “CISA urges ALL organizations in ALL sectors to follow the advice to combat widespread domestic and international exploitation of vulnerabilities in Microsoft Exchange Server products,” the agency tweeted.
While things are bad right now with the operation of Exchange, disaster responders predict that things could get worse without action.
“There’s an inflection point where it’s shifting from the hands of spy operators to the hands of criminals and potentially open source,” says John Hultquist, vice president of intelligence analysis at security firm FireEye. “That’s why we’re all holding our breath right now, and it’s probably happening.”
Patches are essential to protect organizations, but researchers and attackers can also use them to investigate an underlying vulnerability and figure out how to exploit it. This arms race does not detract from the importance of issuing patches, but it has the potential to turn targeted and espionage-driven attacks into a destructive melee.
“I suspect that people will be looking at how to exploit these vulnerabilities that have nothing to do with Hafnium or their friends,” said Steven Adair, CEO of security firm Volexity, who first spotted the hacking campaign. ‘Exchange Server, in a final interview. “Cryptocurrency miners and ransomware are going to get into this game.”
Threat intelligence analysts at security firms Red Canary and Binary Defense are already seeing attackers laying the groundwork to run cryptominers on exposed Exchange servers.
An already precarious situation is likely to worsen once someone publicly releases a proof of concept exploit, essentially providing a blueprint hack tool for others to use. “I know that some research teams are working on proof of concept exploits to enable them to protect and defend their clients,” says Katie Nickels, chief intelligence officer for security firm Red Canary. “What is worrying everyone right now is if someone posts a proof of concept.”
On Tuesday, researchers from corporate security firm Praetorian published a report on an exploit they developed for Exchange vulnerabilities. The company said it had deliberately chosen to omit some key details that would allow virtually any attacker, regardless of skill and expertise, to militarize the tool. Security researcher Marcus Hutchins on Wednesday mentionned that a functional proof of concept has begun to circulate publicly.