Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security China Microsoft United States

At Least 30,000 US Organizations Newly Hacked Via Holes In Microsoft's Email Software (krebsonsecurity.com) 51

An anonymous reader quotes a report from Krebs On Security: At least 30,000 organizations across the United States -- including a significant number of small businesses, towns, cities and local governments -- have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that gives the attackers administrative access to the victim's computer servers. Speaking on condition of anonymity, two cybersecurity experts who've briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over "hundreds of thousands" of Microsoft Exchange Servers worldwide -- with each victim system representing approximately one organization that uses Exchange to process email. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. "We've worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today," Volexity President Steven Adair said. "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised."

A Microsoft spokesperson said in a statement: "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources."
This discussion has been archived. No new comments can be posted.

At Least 30,000 US Organizations Newly Hacked Via Holes In Microsoft's Email Software

Comments Filter:
  • by Anonymous Coward on Friday March 05, 2021 @07:14PM (#61128880)
    If you're still putting exchange on the internet, you deserve to be compromised.
    • by Anonymous Coward
      30,000 organizations apparently. At least that's what I have read recently.
    • Companies that don't have expertise/equipment/physical plant to run an in-house network?

      • Companies that don't have expertise/equipment/physical plant to run an in-house network...

        Should use 365.

        • 365 uses Exchange on the backend. Itâ(TM)s likely Microsoft patched their systems before releasing any details, but the hack has been in use for a few years. The best thing is to run a real MTA in front of your O365 instances for filtering purposes.

          • A few years no. Since December perhaps. All signs point to about 5 weeks ago though. Those using 365 were the most protected from this. Not that it matters, nobody should ever send an email that contains anything they aren't comfortable having every intelligence service on the planet reading and that's been the case since email was invented.

    • The company my wife works for is one of them. I was kinda shocked she was able to open her Outlook and read and send messages w/o connecting to corporate VPN. I just walked away shaking my head...
      • by awwshit ( 6214476 ) on Friday March 05, 2021 @07:34PM (#61128936)

        If its using TLS whats the difference? No different than online banking. You make a TLS connection and then authenticate over it. You can use private certificates.

    • They should have hired me instead.

    • by mysidia ( 191772 ) on Saturday March 06, 2021 @08:18AM (#61129964)

      Almost everyone who uses Exchange puts Exchange on the internet; that's how Microsoft designed the software to be deployed. It's an internet mail server - its purpose is to send and receive email.. that happens to senders and recipients who are outside the organization; SMTP transport Is over the internet.

      Then people within that Exchange organization need to connect all their mobile devices and check their e-mail -- there's no workgroup type network involved in that, such things have been on the way out.. people check their mail from their phones connected to cellular networks, or the WiFi network of whatever place they're working from; I.E. connections coming in to the IIS web server from the internet. That means Exchange has to be capable of accepting the connections from those devices over the internet of course....

    • If you're still putting exchange on the internet, you deserve to be compromised.

      You can put exchange on the internet as long as you don't have your security on the server setup so badly that something like this actually runs.

  • Protection (Score:4, Insightful)

    by StormReaver ( 59959 ) on Friday March 05, 2021 @07:25PM (#61128908)

    The best way to protect yourself is to not use Microsoft software. Remember, Steve Ballmer testified in court that Windows NT was a national security nightmare. Windows is just the opening act for the national security nightmare shitshow.

    • C'mon, all software has vulnerabilities that are exposed...even Linux OS and software packages!
      • Re:Protection (Score:5, Informative)

        by StormReaver ( 59959 ) on Friday March 05, 2021 @07:43PM (#61128968)

        ...even Linux OS and software packages!

        When Linux has a major exploited vulnerability, it's major news.

        When Microsoft has a major exploited vulnerability, it's a day that ends in "y".

        All software has bugs, but Microsoft software has a lot more of the exploitable security kind.

        • The real reason is that Exchange offers a lot of great targets, especially if you can get them all at once.

      • Yeah, what can you do?
        Might as well just add the hacking groups to your email distribution lists.

    • Azure is the most deployed VM platform and runs Microsoft and Linux VM's. It's important to point as well that networks in Russia and China relied much more on Exchange and Active Directory than say the US or EU. So I'm curious as to what and how fast the migration away from those environments could have been. I'm sure an option is to buy in to open source? But there are not many forks out there so, closed source options are obviously on the list? Putting the very people they attack downstream of EVERYTHING
    • "The best protection is to apply updates as soon as possible across all impacted systems"

      Came here to say the same. No, sir, best protection is not to apply updates on Microsoft software but abandon Microsoft software ASAP.

      In fact, your efforts on abandoning Microsoft software are like 20 years behind schedule.

  • Gov Cloud (Score:4, Interesting)

    by awwshit ( 6214476 ) on Friday March 05, 2021 @07:32PM (#61128930)

    Gotta wonder how this effected Microsoft's Government Cloud(s).

  • Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities.

    Interesting site for a revealing expose.

    Reston ebola [cbsnews.com] put this place on the pandemic map.

  • Seems that Microsoft software is hacked more often than dogs bark.

  • The truth is, if you're running Exchange [...] there's a very high chance that your organization is already compromised.

    I'm sure I saw this warning in the MS Bible, but I can't remember which chapter it was put in. It was an early book - Genesis, I'm sure. But chapter and verse? I never committed it to memory without booking a memory purge and garbage collection cycle as well.

  • You may be entitled to compensation. Contact your local lawfirm today!

    • We have been told that one of the benefits of closed source software that you paid a license to use, over using open source software, was that you had someone that you could sue if things went wrong. It will be interesting to see if any of the 30,000 organizations are able to exercise this benefit.

  • All companies and public installations I know off uses Microsoft Exchange and Outlook here in Denmark. I can only extrapolate to the rest of the world.
    • by Corbets ( 169101 )

      All companies and public installations I know off uses Microsoft Exchange and Outlook here in Denmark. I can only extrapolate to the rest of the world.

      But how many use the on-perm version and have it directly exposed to the Internet?

      (I’m also here in Denmark)

      • by mysidia ( 191772 )

        Almost everyone who deploys Exchange opens the required Ports TCP Port 25 for Incoming SMTP from the internet, And port 443, for connectivity to ActiveSync so people's iPhones can connect, and Outlook Web Access / Remote Access, and "Outlook Anywhere", so people can you know, um... read their e-mail.

        For sure there are ways of hardening remote connectivity to mail servers such as required VPNs and client certs - out of 50 companies, maybe 1 company does that, and the rest of them will have none of th

      • Far the most. Some do require VPN to access your mail account, but it has to be open to incoming mail from the outside.
  • China at one time relied heavily on Exchange and Outlook and had no level in their Internet were it was not used. Wherever it is found in the US be sure the utilization in China is significantly more. Attacking such low hanging fruit as a state function? Just because you cannot be "arrested" for as the State approves? It's the equivalent of smashing a store window and grabbing all you can before running off.
  • And then, when you are hacked, shut f**k up.
  • China has been built by US and US Companies predominantly as a superpower, and also by slowly and steadily stealing technology. Now it is showing its power. Trump has shown the way, and Biden has learnt quickly that he was right. Despite what many think about him. That way, India is much better. They can but they do not launch parallel companies for their local offices and do not steal technology by using hackers, mainly due to vedic tradition, no matter how lax the country may appear.
    • by gtall ( 79522 )

      The former alleged president has shown the way? Wot? Paying U.S. farmers for the food they are no longer shipping to China because his alleged administration could think beyond: I want.

      Or maybe you are referring to the U.S. trade deficit with China where it now larger than when he took his alleged office?

  • What else is new? That the offerings by MS are not fit for real use has been known for a long, long time.

In order to dial out, it is necessary to broaden one's dimension.

Working...