Tens of thousands of US-based organizations are using Microsoft Exchange servers that have been given backdoors by threats that steal administrator passwords and exploit critical email and calendar application vulnerabilities, it has been widely reported. Microsoft released emergency patches on Tuesday, but they are doing nothing to disinfect systems that have already been compromised.
KrebsOnSecurity was the first to report the massive hack. Citing several unnamed individuals, reporter Brian Krebs estimated the number of US organizations compromised at at least 30,000. According to Krebs, there are at least 100,000 hacked organizations worldwide. Other news outlets, also citing anonymous sources, quickly followed suit with reports that the hack had affected tens of thousands of organizations across the US.
Assume a compromise
“This is the real deal,” said Chris Krebs, former head of the Cybersecurity and Infrastructure Security Agency, said on Twitter, referring to the attacks on Exchange on-premises, otherwise known as Outlook Web Access. “If your organization has an OWA server exposed to the Internet, assume a compromise between 02/26/03/03.” His comments were accompanied on Thursday by a Tweet from Jake Sullivan, President Biden’s White House national security adviser.
This is the real deal. If your organization has an OWA server that is exposed to the Internet, assume a compromise between 02/26/03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you are now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
Hafnium has company
Microsoft said Tuesday that on-premises Exchange servers were hacked in “limited targeted attacks” by a China-based hacking group that the software maker calls Hafnium. Following Friday’s post from Brian Krebs, Microsoft updated its post to say it “saw increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors outside of HAFNIUM.”
Katie Nickels, director of intelligence at security firm Red Canary, told Ars that her team found Exchange servers compromised by hackers using tactics, techniques and procedures that are markedly different from those of the Hafnium group Microsoft mentioned. She said Red Canary counted five “clusters that look different from each other, [though] telling whether the people behind it are different or not is really challenging and unclear at this point. ”
On Twitter, Red Canary said that some of the compromised Exchange servers the company has tracked contain malware that fellow security firm Carbon Black analyzed in 2019. The malware was part of an attack that involved installing crypto mining software called DLTminer. It is unlikely that Hafnium would install such a payload.
Microsoft said Hafnium is a skilled hacking group from China that focuses primarily on stealing data from US-based infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations. The group, Microsoft said, hacked into servers by either exploiting recently resolved zero-day vulnerabilities or using compromised administrator credentials.
It is not clear what percentage of the infected servers are the work of Hafnium. Microsoft warned Tuesday that the ease of exploiting the vulnerabilities made it likely that other hacking groups would soon join Hafnium. If ransomware groups aren’t already among the clusters that compromise servers, it’s almost inevitable that they soon will be.
Brian Krebs and others reported that tens of thousands of Exchange servers were compromised with a web shell, which hackers install once they gain access to a server. The software allows attackers to enter administrative commands through a terminal window accessible through a web browser.
Researchers have carefully noted that simply installing the patches Microsoft released in Tuesday’s emergency release would do nothing to disinfect servers that already had backdoors. The web shells and any other malicious software installed will remain until they are actively removed, ideally by completely rebuilding the server.
People who manage Exchange servers in their networks should stop what they are doing now and carefully inspect their machines for signs of compromise. Microsoft has listed indicators of compromise here. Administrators can also use this script from Microsoft to test if their environment is affected.
The escalation of Exchange server hacks this week comes three months after security professionals uncovered the hack of at least nine federal agencies and about 100 companies. The primary vector for infections was through software updates from network tools maker SolarWinds. The massive hack was one of – if not… the— the worst computer break-ins in US history. It is possible that the Exchange Server will claim that distinction soon.
There is still much that is unknown. For now, people would do well to heed Chris Krebs’ advice to assume that on-premises servers have been compromised and act accordingly.