At Least 30,000 US Organizations Newly Hacked Via Holes In Microsoft's Email Software (krebsonsecurity.com) 51
An anonymous reader quotes a report from Krebs On Security: At least 30,000 organizations across the United States -- including a significant number of small businesses, towns, cities and local governments -- have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that gives the attackers administrative access to the victim's computer servers. Speaking on condition of anonymity, two cybersecurity experts who've briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over "hundreds of thousands" of Microsoft Exchange Servers worldwide -- with each victim system representing approximately one organization that uses Exchange to process email. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. "We've worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today," Volexity President Steven Adair said. "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised."
A Microsoft spokesperson said in a statement: "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources."
In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that gives the attackers administrative access to the victim's computer servers. Speaking on condition of anonymity, two cybersecurity experts who've briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over "hundreds of thousands" of Microsoft Exchange Servers worldwide -- with each victim system representing approximately one organization that uses Exchange to process email. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. "We've worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today," Volexity President Steven Adair said. "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised."
A Microsoft spokesperson said in a statement: "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources."
who puts exchange on the internet?!? (Score:3, Informative)
Re: (Score:1)
Re: (Score:2)
Companies that don't have expertise/equipment/physical plant to run an in-house network?
Re: (Score:1)
Companies that don't have expertise/equipment/physical plant to run an in-house network...
Should use 365.
Re: who puts exchange on the internet?!? (Score:1)
365 uses Exchange on the backend. Itâ(TM)s likely Microsoft patched their systems before releasing any details, but the hack has been in use for a few years. The best thing is to run a real MTA in front of your O365 instances for filtering purposes.
Re: (Score:1)
A few years no. Since December perhaps. All signs point to about 5 weeks ago though. Those using 365 were the most protected from this. Not that it matters, nobody should ever send an email that contains anything they aren't comfortable having every intelligence service on the planet reading and that's been the case since email was invented.
Re: (Score:1)
Re:who puts exchange on the internet?!? (Score:5, Interesting)
If its using TLS whats the difference? No different than online banking. You make a TLS connection and then authenticate over it. You can use private certificates.
People should authenticate beforehand (Score:3)
Re: (Score:1)
They should have hired me instead.
Re: (Score:1)
To install something else instead.
Re:who puts exchange on the internet?!? (Score:5, Informative)
Almost everyone who uses Exchange puts Exchange on the internet; that's how Microsoft designed the software to be deployed. It's an internet mail server - its purpose is to send and receive email.. that happens to senders and recipients who are outside the organization; SMTP transport Is over the internet.
Then people within that Exchange organization need to connect all their mobile devices and check their e-mail -- there's no workgroup type network involved in that, such things have been on the way out.. people check their mail from their phones connected to cellular networks, or the WiFi network of whatever place they're working from; I.E. connections coming in to the IIS web server from the internet. That means Exchange has to be capable of accepting the connections from those devices over the internet of course....
Re: (Score:1)
If you're still putting exchange on the internet, you deserve to be compromised.
You can put exchange on the internet as long as you don't have your security on the server setup so badly that something like this actually runs.
Protection (Score:4, Insightful)
The best way to protect yourself is to not use Microsoft software. Remember, Steve Ballmer testified in court that Windows NT was a national security nightmare. Windows is just the opening act for the national security nightmare shitshow.
Re: (Score:3)
Re:Protection (Score:5, Informative)
...even Linux OS and software packages!
When Linux has a major exploited vulnerability, it's major news.
When Microsoft has a major exploited vulnerability, it's a day that ends in "y".
All software has bugs, but Microsoft software has a lot more of the exploitable security kind.
Average two vulnerabilities per day (Score:5, Insightful)
You could probably make one or two vulnerabilities that have come up in Linux. You've probably seen the news stories when there is a vulnerability.
On average, Microsoft releases patches for 60-75 new vulnerabilities each month. That's two new vulnerabilities a day. Every day.
Go check the last few patch Tuesdays. Only 60 new vulnerabilities is a good month for Windows
If you can't tell the difference between "X happened once" and "Y happens twice a day, every day", maybe you're not as smart as I thought you were.
Re:Average two vulnerabilities per day (Score:5, Interesting)
On average, Microsoft releases patches for 60-75 new vulnerabilities each month. That's two new vulnerabilities a day. Every day.
In terms of equivalency, Linux is not much better, vulnerabilities are found constantly across all manner of userland packages which make up a typical distro, while Windows is one monolithic blob that includes many userland packages already. The key differences are that Linux distros tend to release a patch immediately, while Windows waits a month (unless it is really bad) and Linux allows you to restrict what each userland process can do to a very granular level if you’re willing to use AppArmor or TOMOYO. Of course, many benefit from SELinux with prebuilt policies which are good enough in most cases.
However, if we are being brutally honest, in the real world, there are a lot of Linux sysadmins which do not test patches as they are releases to testing repos, who then immediately apply them when they go stable. As a result, many systems do not get immediate patching, which does not end well. Despite the risks, idiots still turn off perfectly valid SELinux targeted policies or (on systems using other LSMs) they do not bother creating valid policies.
If administrators did their jobs correctly, most of these 30,000 organisations would not have been penetrated regardless of whether they used Windows or Linux. Vulnerabilities are found daily across both systems but most of them can be secured in a way which prevents intrusion by those who lack even the most basic of authorisation to access the systems in the first place.
Re: (Score:2)
there are a lot of Linux sysadmins which do not test patches as they are releases to testing repos, who then immediately apply them when they go stable
I meant who do not immediately apply them when they go stable.
Re: (Score:2)
The real reason is that Exchange offers a lot of great targets, especially if you can get them all at once.
Re: (Score:2)
Yeah, what can you do?
Might as well just add the hacking groups to your email distribution lists.
Re: (Score:1)
Re: (Score:2)
"The best protection is to apply updates as soon as possible across all impacted systems"
Came here to say the same. No, sir, best protection is not to apply updates on Microsoft software but abandon Microsoft software ASAP.
In fact, your efforts on abandoning Microsoft software are like 20 years behind schedule.
Gov Cloud (Score:4, Interesting)
Gotta wonder how this effected Microsoft's Government Cloud(s).
Re: (Score:1)
It hasn't.
Re: (Score:2)
Based on?
Re: (Score:1)
Re: (Score:2)
Actually the Office 365 service does have Exchange.
https://www.microsoft.com/en-u... [microsoft.com]
Reston, VA reporting vulnerabilities (Score:2)
Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities.
Interesting site for a revealing expose.
Reston ebola [cbsnews.com] put this place on the pandemic map.
Re: (Score:1)
Prior to this week, every time there was a massive hack like that, they found "bear footprints" at the site. Exhibit A - Solarwinds, where we were told for months that it is elite uber hacking by Ivan and not an intern setting up an ftp site with external access and password "solarwinds123".
As per the new instructions, the security "experts" have found "panda footprints" this ti
Well... the 365 thing... (Score:1)
Seems that Microsoft software is hacked more often than dogs bark.
Genesis for sure, but which chapter? (Score:2)
I'm sure I saw this warning in the MS Bible, but I can't remember which chapter it was put in. It was an early book - Genesis, I'm sure. But chapter and verse? I never committed it to memory without booking a memory purge and garbage collection cycle as well.
If you were harmed by Microsoft Exchange (Score:2)
You may be entitled to compensation. Contact your local lawfirm today!
Re: (Score:2)
We have been told that one of the benefits of closed source software that you paid a license to use, over using open source software, was that you had someone that you could sue if things went wrong. It will be interesting to see if any of the 30,000 organizations are able to exercise this benefit.
Good thing everyone uses the same email system (Score:2)
Re: (Score:2)
All companies and public installations I know off uses Microsoft Exchange and Outlook here in Denmark. I can only extrapolate to the rest of the world.
But how many use the on-perm version and have it directly exposed to the Internet?
(I’m also here in Denmark)
Re: (Score:2)
Almost everyone who deploys Exchange opens the required Ports TCP Port 25 for Incoming SMTP from the internet, And port 443, for connectivity to ActiveSync so people's iPhones can connect, and Outlook Web Access / Remote Access, and "Outlook Anywhere", so people can you know, um... read their e-mail.
For sure there are ways of hardening remote connectivity to mail servers such as required VPNs and client certs - out of 50 companies, maybe 1 company does that, and the rest of them will have none of th
Re: Good thing everyone uses the same email system (Score:2)
yolo (Score:1)
Smash and Grab? (Score:1)
Use Exchange and Outlook at your own peril (Score:2)
Our US built China as superpower (Score:1)
Re: (Score:2)
The former alleged president has shown the way? Wot? Paying U.S. farmers for the food they are no longer shipping to China because his alleged administration could think beyond: I want.
Or maybe you are referring to the U.S. trade deficit with China where it now larger than when he took his alleged office?
Use crap software, get hacked (Score:2)
What else is new? That the offerings by MS are not fit for real use has been known for a long, long time.