On Friday, cybersecurity journalists Brian Krebs and Andy Greenberg reported that as many as 30,000 organizations had been compromised in an unprecedented email server hack, believed to have originated from a state-sponsored Chinese hacking group known as Hafnium.
A significant number of organisations around the world have been compromised through a “back door” installed via recently patched flaws in Microsoft’s email software, and the White House warns it “could have far-reaching impacts”.
Key points:
- Microsoft has declined to provide details on the scale of the hack
- All of those affected are thought to have used web versions of the Outlook email client
- White House press secretary Jen Psaki says there are concerns “there are a large number of victims”
The hacking has already reached more places than all of the tainted code downloaded from SolarWinds Corp, the company at the heart of another massive hacking spree uncovered in December.
The latest hack has left channels for remote access spread among credit unions, town governments and small businesses, according to records from a US investigation.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments. The ACSC is assisting affected organisations with their incident response and remediation.
The ACSC has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC urges these organisations to do so urgently.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Microsoft Exchange to urgently patch some Common Vulnerabilities and Exposures (CVEs). It says that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system.
Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers. Tens of thousands of organisations in Asia and Europe are also affected.
Over the weekend, that estimate has doubled to 60,000 Microsoft Exchange Server customers hacked around the world, with the European Banking Authority now admitting that it’s one of the victims — and it looks like Microsoft may have taken a little too long to realize the severity and patch it. Microsoft is not commenting other than frantically issuing “patches”, i.e. bandaids for their hacked code.