Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security China Microsoft United States

US Issues Warning After Microsoft Says China Hacked Its Mail Server Program (nbcnews.com) 122

An anonymous reader quotes a report from NBC News: The U.S. has issued an emergency warning after Microsoft said it caught China hacking into its mail and calendar server program, called Exchange. The perpetrator, Microsoft said in a blog post, is a hacker group that the company has "high confidence" is working for the Chinese government and primarily spies on American targets. The latest software update for Exchange blocks the hackers, prompting the U.S. Cybersecurity and Infrastructure Security Agency to issue a rare emergency directive that requires all government networks do so.

CISA, the U.S.'s primary defensive cybersecurity agency, rarely exercises its authority to demand the entire U.S. government take protective steps to protect its cybersecurity. The move was necessary, the agency announced, because the Exchange hackers are able "to gain persistent system access." All government agencies have until noon Friday to download the latest software update. In a separate blog post, Microsoft Vice President Tom Burt wrote that the hackers have recently spied on a wide range of American targets, including disease researchers, law firms and defense contractors. There was no immediate indication that the hack led to significant exploitation of U.S. government computer networks. But the announcement marks the second instance in recent months that the U.S. scrambled to address a widespread hacking campaign believed be the work of foreign government spies.

This discussion has been archived. No new comments can be posted.

US Issues Warning After Microsoft Says China Hacked Its Mail Server Program

Comments Filter:
  • by inode_buddha ( 576844 ) on Wednesday March 03, 2021 @10:36PM (#61121906) Journal

    ... Outlook not so good!

    • Microsoft https server config has problems

      "server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server."

      on a more serious note, they should really really fix their Email to enable DANE for SMTP (RFC 7672) for secure mail server connections!
      https://github.com/baknu/DANE-for-SMTP/wiki [github.com]

      • Alternatively - do it the easy way with MTA-STS.

        DANE is dead and DNSSEC is on life support.

        • by guruevi ( 827432 )

          Yes, replace obscure and little used solution that offers no real value with an even more obscure and little used solution that offers no real value.

          As we've seen, spammers can set up DNSSEC just as well, and often better than the "real people", looking at my e-mail servers, a properly configured e-mail domain is more likely to be from spammers than from real businesses.

          Likewise none of that would have helped here, as they broke Exchange's proprietary protocols (which aren't standards) to elevate themselves

          • Was DNSSEC ever about preventing spam, or was that just a popular conflation similar to people thinking transport layer encryption was ever supposed to be relied on for organizational validation and other trust signals outside the scope of encryption?
    • by gosso920 ( 6330142 ) on Wednesday March 03, 2021 @11:32PM (#61122024)
      Russia is old and busted. China is the new bogeyman. We have always been at war with Eastasia.
      • Re:Confucious say (Score:5, Informative)

        by Cmdln Daco ( 1183119 ) on Thursday March 04, 2021 @12:40AM (#61122118)

        China has been at war with us since 1949.

        • In the 1990s, continued "most favoured nation" status for the People's Republic of China by the United States created controversy because of its sales of sensitive military technology and China's serious and continuous persecution of human rights.[6] China's MFN status was made permanent on December 27, 2001. All of the former Soviet states, including Russia, were granted MFN status in 1996. On a bilateral level, however, the United States could not grant MFN status to some members of the former Soviet Unio
          • by dcw3 ( 649211 )

            Which in no way refutes Cmdln Daco's comment.

          • Re: (Score:3, Insightful)

            by DarkOx ( 621550 )

            This is point that should be made over and over again.

            At the urging of Vice President Joe Biden,[8] the Jackson-Vanik amendment was repealed with Magnitsky Act (which attempts to punish human rights violations without hampering trade) on December 14, 2012

            What this really mean is money before people and before scruples. The simple fact is not hampering trade more or less makes continued and flagrant abuse of human rights entirely painless for all but despots in the tiniest little duchies who actually feels some pain from individual sanctions in their their own domestic economies can't given them access to the banking tools and lifestyle items them want. Its certainly of no real consequence to Vladimir Pu

            • Jason-Vanik amendment was intended to sanction countries that restrict emigration, with USSR preventing its Jews from emigrating to Israel particularly in mind. By 2012, Russia hasn't been doing that for over two decades, and many were rightly pointing out that the amendment was effectively obsolete. This isn't to say that Russia isn't authoritarian, or that some form of sanctions isn't a good idea - but that's a separate issue.

      • And Russia is just sleeping

      • Re:Confucious say (Score:4, Insightful)

        by tlhIngan ( 30335 ) <slashdot&worf,net> on Thursday March 04, 2021 @04:23AM (#61122348)

        Russia is old and busted. China is the new bogeyman. We have always been at war with Eastasia.

        Well, that's because Joe Biden isn't owned by Russia like Trump was - with lots of interests keeping him afloat.

        And President/Dictator for life Xi of China is trying to change the world, literally. Instead of things like "free speech" or "democracy" as driving principles of good government, Xi wants "happiness". The Uyghur genocide is about making people "happy" and suppressing criticism makes people happy as well.

      • by thomst ( 1640045 )

        gosso920 sneered:

        Russia is old and busted. China is the new bogeyman. We have always been at war with Eastasia.

        Fuck off and die, húndàn ...

    • Oh - that little startup that's working with the belgian governments to provide a super-secure ID-system state-wide ? NOOO! their brand-new mail platform got compromised ?
      well i guess we all have our hiccups in the first year of business ... lack of money ... or was that talent ? I feel safer already ... the state will give me an ID - tracked by Crotter Inc who is open about the fact they share all data with the NSA without warrant, "just ask, we are good americans"
      which one of those two companies was t
  • by beepsky ( 6008348 ) on Wednesday March 03, 2021 @10:45PM (#61121920)
    The US should go on an offensive cyber campaign and hack every thing they can in China with the purpose of humiliating the CCP and sending them a message.
    If there's one thing those fascists can't stand it's being humiliated and disrespected, so hack Baidu and put a photoshopped picture of Xi sucking a cock on the front page, etc.
    • Comment removed based on user account deletion
      • If you think China doesn't hack the US you're mentally disabled.
        It's not like the "Russia hacked the election" thing, it's actually well documented, just like their 50 cent army of shills of which you may well be a part of.
        • Re: (Score:2, Insightful)

          You're the one who managed to conflate fascism with communism. That doesn't make you look very intelligent. I think you should avoid using big words until you know and understand the actual dictionary definitions of them.

          • Re:Nuke Beijing (Score:5, Insightful)

            by beepsky ( 6008348 ) on Wednesday March 03, 2021 @11:08PM (#61121972)
            You really shouldn't talk about things you don't understand. China is very far from being communist or even socialist.
            • Re: (Score:3, Informative)

              Oh look, an internet commenter who knows all about China. Say, why don't we ask Xi Jinping himself? After all, he's written a piece specifically for people like you, called Xi Jinping in Translation: Chinaâ(TM)s Guiding Ideology [palladiummag.com]. Who's got more education on the topic here?

              First of all: Socialism with Chinese Characteristics is socialism. It is not any other sort of "ism." The foundational, scientific principles of socialism cannot be abandoned; only if they are abandoned would our system no longer

              • by Anonymous Coward

                socialist democratic politics

                Clearly he's talking shit then. Being a dictator and all...
                So take everything else with a grain of salt too.

                • Chinese get to vote. The local people elect the local committee. The local committee elects the district committee. It goes on and on, up and up to city government, provincial, to the very top. The difference is that they don't let the stupids vote. How many times have I seen on Slashdot that everyone wishes we could lock out stupid people from voting, and let the smart ones decide everything? Well China HAS that system.
                  • by Shaitan ( 22585 )

                    First of all you are pretending a dictator fairly tallies any vote. Given the strict control and manipulation of all media and communication in China you wouldn't know. Which comes to the next point... when the government controls all information presented to "smart ones" they get to determine their opinion (which will logically follow from that information) and are rigging the election, even without manipulating a single other thing.

                    • Comment removed based on user account deletion
                    • by Shaitan ( 22585 )

                      False equivalence. A favored tactic of the CCP everywhere... because China most definitely does not limit its information warfare to attacks on its own people.

                    • Comment removed based on user account deletion
                    • by Shaitan ( 22585 )

                      "I have no desire to visit China due to its shitty government, but to not recognize the current anti-China propaganda blitz as being just part of America's trade war with China is just being lazy."

                      No, it is recognizing that the government of China was evil and well known to be evil all along and some greedy assholes ignored that and sold us out for their own gain. Now China is trying to undermine principles of freedom and personal liberty throughout the world.

        • If you think China doesn't hack the US you're mentally disabled. It's not like the "Russia hacked the election" thing, it's actually well documented, just like their 50 cent army of shills of which you may well be a part of.

          The: 'Russians hacked the DNC' thing is documented, the: 'Russians hacked the RNC' thing is documented, the: 'Russians tried to hack election systems in all 50 states' thing is documented. The bone of contention is really whether they swung the 2016 election or not. Personally I don't think they did. However, the mere fact that they still got into a large number of election systems before chickening out is still highly problematic. Never mind the fact that both the Russians and the Chinese seem to have hack

      • by thomst ( 1640045 )

        Anonyrnous sneered:

        Mmm...koolaid is yummy! I believe every piece of propaganda bullshit mega-corps tell me at face value because critical thinking make my bwainy hurt!

        Fuck off and die, húndàn ...

    • Re:Nuke Beijing (Score:4, Insightful)

      by phantomfive ( 622387 ) on Wednesday March 03, 2021 @11:27PM (#61122012) Journal

      The US should go on an offensive cyber campaign and hack every thing they can in China with the purpose of humiliating the CCP and sending them a message.

      What kind of message do you think that would send, exactly? That we're drunk frat boys?

    • They cant make any themselves, their to fucking stupid for that.
      • by Anonymous Coward

        They cant make any themselves, their to fucking stupid for that.

        "They can't make any themselves. They're too stupid for that." I can't decide if that's sarcasm, satire, or if you're really that fucking stupid.

        .

    • by quenda ( 644621 )

      I'll get Anton right onto it. "Suck it, Jin Ping!"

      https://steamuserimages-a.akam... [akamaihd.net]

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Wednesday March 03, 2021 @10:48PM (#61121930)
    Comment removed based on user account deletion
    • You must be new here. Happy day after Patch Tuesday everyone.

    • In their report, they presented no evidence that China was the culprit.

    • Blinken said so.

      This is EXACTLY ON THE NEXT DAY AFTER HE DECLARED CHINA THE US ENEMY OF THE 21ST CENTURY.

      Yeah... sure... Coincidence? I think not. More like Convenience. Spelled almost the same.

    • by thomst ( 1640045 )

      Anonyrnous sneered:

      China did it!

      Fuck off and die, húndàn ...

    • Actually, the notification I received through Microsoft's Partner Network did not mention China specifically. The notification stated...

      We are contacting you to alert you to Microsoft’s release of patches for multiple different on-premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group.

  • Some techs are going to be having some late nights tonight. Hope they stay safe and get OT / Safe transport home
    • Actually, we're a day behind. Everybody who had automatic updates on last night got it already. Yesterday was just the typical Patch Tuesday...

      • by chill ( 34294 )

        No, they didn't. The patches for this are not part of the monthly roll-up. You need to apply them explicitly, after applying the monthly roll-up. These will be a part of next month's patches, but if you're relying on automatic updates for this, you're screwed.

  • We've seen this before... bug in Microsoft Exchange, everybody take today's patch. The only difference in today's report is that the hackers are in China, cell phones are being made in China, and China is trying to feel better than us.

    China, China, China.. feel scared yet? Now go patch your Exchange.

    • by Creepy ( 93888 )

      We did an emergency patch... but have business directly with China, lol. Admittedly, the stuff I work on directly is blocked from anything outside America, but a lot of the stuff that I enhance on is developed in China (and I even lost my Job to China in 2018, but they were fucked doing US customizations, which, I happen to specialize in - thanks for the $80000 pay boost - basically double what I made before).

    • by thomst ( 1640045 ) on Thursday March 04, 2021 @10:21AM (#61123024) Homepage

      The New Guy 2.0 sneered:

      China, China, China.. feel scared yet? Now go patch your Exchange.

      The key detail in the above story is not that the vulnerability exists in Exchange. Anyone who uses Exchange is a damn fool, anyway. The key detail is that CISA has issued an order that ALL U.S. government Exchange servers MUST be updated by the end of the business day on Friday, because China has already been exploiting this zero-day vulnerability for an unknown length of time, and has ALREADY used it to gain access (sorry) to government systems - presumably including every system they could identify - as well as some unknown (but, again presumably, non-trivially-large) number of civilian systems.

      Feel scared yet? Because you should.

      This is not routine. It's an attack surface so severe that it has Cybersecurity Command shitting its britches, telling EVERY government entity that runs Exchange, "Update, then patch your shit, motherfuckers! You have 36 hours to comply, or your ass is grass!"

      CISA has never treated any previous zero-day with that kind of urgency. If unpatched, it allows access to ring 0, you dilettante! That means that, if the system you administer runs Exchange, and the employer for whom you work has ANY data that might interest the Chinese government, it's already inside your network, and that data has already been pwned.

      Updating and patching your Exchange server (pro tip: you have to do both, in that order) may staunch the bleeding, but that doesn't reduce this catastrophe to the kind of mundane status you'd like to believe it deserves.

      And any fool who buys your casual dismissal of the severity of this zero-day deserves to hang up his or her pocket protector, and slink away in shame to the Old Sysop's Home ...

      • CISA has never treated any previous zero-day with that kind of urgency. If unpatched, it allows access to ring 0

        Is that true? Why does Exchange have any high level privileges?

      • Anyone who uses Exchange is a damn fool, anyway.

        Apparently written by another tedious IT practitioner who thinks he's smarter than everyone else. As in "anyone who uses Micro$oft products is a fool". "Anyone who doesn't use sudo is an idiot". Blah blah blah.

        For what it's worth, I know a great many people who use Exchange Server and who are not fools. It happens to have a lot of nice features. It sync's e-mail, calendar, contacts, and more across multiple platforms. It has native clients on both Android and iOS. It has a pretty nice web-based interface th

  • by medv4380 ( 1604309 ) on Wednesday March 03, 2021 @11:28PM (#61122014)
    By putting all exchange servers into one cloud as MS pushes it makes it so there is a single target. Once it's compromised everyone using that system has to assume they were hit along with everyone else. It's the equivalent of putting all your eggs in one basket.
    • by raymorris ( 2726007 ) on Wednesday March 03, 2021 @11:36PM (#61122032) Journal

      There is some truth to that.

      On the other hand, every patch Tuesday when Microsoft releases another 60 vulnerabilities it's a race between the hackers exploiting them vs the companies trying to first test, then deploy patches. If you're using Microsoft's cloud you are already protected before the vulnerability is released publicly.

      Cloud security is *different* from on-prem. Not better or worse, just different.

      • by Tablizer ( 95088 ) on Thursday March 04, 2021 @01:49AM (#61122196) Journal

        Cloud security is *different* from on-prem. Not better or worse, just different.

        It reminds me a lot of the nuclear reactor (NR) versus petroleum debate. Petroleum probably causes more deaths on average than NR's via asthma, cancer, etc.; but NR's make news when they go wrong. NR's create "spiky" risk while petro kills slow and steady.

        • Re: (Score:3, Interesting)

          by raymorris ( 2726007 )

          I understand what you're trying to get it. And ...

          There's been exactly ONE nuclear power accident with fatalities greater than about one or two - Chernobyl. A guy, one guy, got cancer attributed to Fukushima. In other accidents, I think one guy died when he dropped a rod; in the early days a researcher accidentally created critical mass and he may have eventually died.

          Just ordinary workplace accidents alone, slip and fall type things, in the oil industry kill more people than nuclear power does.

          The numbe

          • You are completely right about the safety of nuclear power.

            About China Syndrome, there is some important context. Right after the China Syndrome movie was released, nuclear power advocates quickly denounced it as utterly unrealistic, saying that it was impossible to have an accident like the one described in the movie: a loss of coolant accident that was caused by a malfunctioning gauge reporting excessive cooling water levels when the water levels were actually dangerously low because a valve got stuck, re

          • by Tablizer ( 95088 )

            A guy, one guy, got cancer attributed to Fukushima. In other accidents, I think one guy died when he dropped a rod;

            I want to make sure we don't ignore the indirect or un-countable danger of releasing radiation into the environment. Fukushima's radiation has increased the radioactivity of fish used for food, for example. Almost the entire Pacific Ocean has been affected. Whether that will increase total cancer occurrences in the world to a concern-able level is a matter of debate. Ideally, we don't want that

            • > Ideally, we don't want that extra radiation in the ocean.

              It's not ideal, in the way 0.000... and perfectly spherical cows are ideal.

              Also, the concern about the water at Fukushima is tritium.
              There's some tritium, less than a gram I believe, in the wastewater. Tritium is the stuff used to make watches and exit signs glow.

              So when we're balancing real-life alternatives, not spherical cows, would you rather have thousands of gallons of uses engine oil leaking onto the ground and eventually into your drinki

              • by Tablizer ( 95088 )

                Currently nuclear is roughly 3% of all power generated. If it replaced oil, then the accident rate and results would be much higher.

                Anyhow, I already agreed that nuclear is less dangerous than oil on average in my first message.

      • by mysidia ( 191772 )

        If you're using Microsoft's cloud you are already protected before the vulnerability is released publicly.

        Also... It's simply not the case that every user of the service would need to assume they are targeted; If the service provider maintains the appropriate logging and auditing, they should be able to narrow down what was accessed in the event of a breach, which customers may be impacted and need to alert -- It's not like services such as O365 are a couple servers resembling an Enterprise on-pr

      • by larwe ( 858929 )
        _Centralized_ (multitenant) cloud services inherently cannot escape the "juicy target" problem. It's simple economics; if it costs me $250K to hack one corporation or one isolated cloud instance, or $1MM to hack a central multitenant cloud that hosts 5, 10, 100 big corporations - it's always a better bet to go for the big target. There is a certain amount to be said for the "biodiversity" of having self-hosted systems; an alert infosec staff will ensure that you don't trail the cloud security updates by muc
        • > Most importantly you drastically increase the cost for hackers to penetrate a large number of systems and you force them to make economic decisions about which targets to prioritize.

          You forget we're using computers. Computers are really, really good at repeating the same thing really, really fast. Once I develop an exploit for a Exchange vulnerability, my cost to deploy it to 10,000 companies is under $100.

          Managing the databases at $large_security_company, I learned that one of the best ways to detect

          • by larwe ( 858929 )
            I reply to this again with the biodiversity comment. If there is a simple exploit where a generic payload gets you EVERYTHING you want - sure. But there's far more often a lot more to "getting in" (and "staying in" and "getting some profitable action taken") than simply using one automatable exploit. After you're "in" you need to figure out what the topology is behind whichever wall you just breached - which different orgs will structure differently - then once you find out what doors are exposed to you, yo
            • That's true - whether Exchange is on-prem or not.
              It's MORE true when Exchange isn't on-prem, because getting into Exchange doesn't out you directly in their network.

              That is, if you have an Exchange exploit, that alone will get you access to the Exchange server. If the Exchange server is on the local network, having the Exchange server means you have a foothold in the the local network.

              • by larwe ( 858929 )
                On-prem Exchange servers are not _usually_ Internet-facing, at least not at orgs with which I'm familiar. So before you can even do them an attacc, you need to get into the org's VPN.
                • Initial numbers from the briefing I just left indicate that about 5-10% of Exchange servers are already *infected*. Not just vulnerable, but already infected as of about an hour ago.

                  So apparently a lot of companies allow employees to access their work email when they aren't in the office, by exposing their CAS on the web.

      • "On the other hand, every patch Tuesday when Microsoft releases another 60 vulnerabilities" that they know about. A buggy Exchange Server 'in the cloud' is still buggy. Not that the spooks need rely on bugs to get access to your files 'in the cloud'.
        • I'll just leave you with what one of the experts on Exchange security, @swiftonsecurity had to say yesterday:

          "If you're not Fortune 50 company, running your own Exchange Server is organizational clownery at this point."

          If you think you know more about Exchange security than Swift does, perhaps we should rename the Dunning-Krueger effect after you.

    • by Anonymous Coward on Wednesday March 03, 2021 @11:53PM (#61122058)

      If you had read the linked directive from DHS, you'd know that this is not an issue with cloud-based services, but on-premises servers:

      "CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network."

      I know we love to gang-up on the cloud, but at least try to be accurate in your criticism, otherwise it just makes you sound like a vacuous blowhard.

    • by chill ( 34294 )

      The cloud servers aren't impacted. These are flaws for on-prem Exchange servers, and Exchange 365 in a hybrid configuration. That's a buzzwordy way of saying "we do both cloud and non-cloud".

      These are vulnerabilities against the non-cloud stuff.

      • by mysidia ( 191772 )

        Yep. On-Premise only. That Unified Messaging feature (UM) feature that had the component vulnerable due to the serialization issue Doesn't even exist as part of the Exchange 365 service - MS has something completely different there.

         

    • By putting all exchange servers into one cloud as MS pushes it makes it so there is a single target. Once it's compromised everyone using that system has to assume they were hit along with everyone else. It's the equivalent of putting all your eggs in one basket.

      I'm genuinely curious as to what you think "the cloud" is? Sure the meme is it's someone else's computer, but the reality is more that it's hundreds of other people's virtual machines spread across various hardware. With every company somehow requiring some kind of access to their networks from outside the actual risk of someone compromising the Exchange Server on the cloud, vs Exchange Server in the IT room is no different. And at these scales the provisioning from resources between companies are also kept

  • so they said until everyone is hacked
    • by ebvwfbw ( 864834 )

      so they said until everyone is hacked

      I still have a hell of a time convincing anyone to use encryption. Even windows 10 can load GPG. Outlook supports it. Evolution supports it. Even gmail seems to support it via evolution. I tried to get others to use it and I might as well have asked them to collect all the underwear in their dresser drawers and send it to me. In fact, they may have done that before they'd do encrypted e-mail.

      So basic, free and people won't do it. Like a free lock for your front door and nobody wants a lock on their front do

  • Hahahaha sukkaz
  • by Canberra1 ( 3475749 ) on Thursday March 04, 2021 @07:20AM (#61122496)
    Management is to blame. If sensitive stuff was accessed, it should be on a secure solution, not an inapproriate solution that does not have a certification for that level. Bog standard COTS is a disaster. And include the word alledged until you are in a position to show and tell. Stop blaming others, and start crucifying PHB's who willfully sabotage security, yet still pocket bonuses,
  • Russia, China, Israel, Iran, India... and U$A genius RICO families' and
    C*Os' perfidious politicians and prosperity cult-clergy are
    Wealth/Power Accumulation Clubs (W/PAC) of Luddite-technophobes.

    The U$A governance of the USA has put #AllOfUS last in priority. Look at USA State Of Union (Education, Infrastructure, Science, Medicine, Communities, Industry, Economics, Finances...). U$A pays for QAnon (Question Answer nonsense) agitprop and MSM/SM pseudo-news.

    Ask:
    How does U$A setup US to fail?
    Why does U$A want U

  • When do we mount a minimal defense? And how long after that do we wait before we retaliate?

    And as we consider true cyberwar, which, if you consider it for more than a moment, will be not merely disruptive, but disastrous beyond previous measure, consider a lesson from WWI - gas, in particular, was found to be an intolerable weapon. WWII was not as brutal as it could have been, had the belligerents resorted to widespread use of gas and similar weaponry.

    Real cyberwar will leave you hungry, cold, and sitting

  • It turns out all the Chinese do is see how their servers were hacked by the Americans then use the same techniques to hack them.

Avoid strange women and temporary variables.

Working...