Ride the Lightning

PATCH NOW! Massive Hack on Microsoft Exchange Servers

March 9, 2021

The Washington Post (sub.req.) reported on March 8 that the White House and U.S. intelligence officials have issued increasingly urgent warnings for organizations to patch a critical vulnerability in Microsoft Exchange servers. A group of Chinese government hackers dubbed Hafnium has been exploiting the vulnerability to gain access to the servers of public and private entities.

“This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat,” White House press secretary Jen Psaki said Friday.

Microsoft released a patch last week, so hackers have escalated their efforts to find new victims before it’s used, officials warn.

At least 30,000 organizations across the United States have been hacked by the Chinese group, Brian Krebs first reported. That includes more than 4,000 state and local governments and critical infrastructure providers. The Cybersecurity and Infrastructure Security Agency (CISA) hosted a call on Friday urging the organizations to immediately patch the vulnerability. There is no indication that federal agencies have been hacked using the Microsoft vulnerability.

The White House is expected to gather officials this week to consider creating a task force to review the incident and determine a potential response. The U.S. has not yet formally attributed the attack since U.S. government personnel are working to determine which hacker groups are doing what at this point.

The targeting of local governments and small businesses could make remediation hard as many state and local government do not have strong cybersecurity resources. Some state governments have already found their IT systems suffering under the weight of the pandemic. Any major impact on health services could further delay vaccine distribution and key relief services.

Leaving the problem unaddressed would permit hackers to remotely use the servers without the need for credentials.

Even worse, although Microsoft has issued a patch for the vulnerability, the patch will not get hackers out of compromised networks.

As noted in an alert published by the US Cybersecurity and Infrastructure Security Agency (CISA) on March 6, Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers. 

This new development has already outpaced the number of SolarWinds victims. U.S. intelligence placed the number of SolarWinds victims at around 100 companies and nine federal agencies. At least 18,000 SolarWinds clients worldwide downloaded the malware Russian hackers used to get into users’ systems.

There is debate about the reason for this attack. Victims seem random. Possibly the hackers desire to cause more disruptions. If they are inside a compromised network, they could infect it with ransomware or destroy/exfiltrate data.

First thing? Apply the patch!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson