Tens of thousands of US-based companies run Microsoft Exchange servers behind the door by threat actors who steal administrator passwords and exploit critical vulnerabilities in email and calendaring applications. Microsoft released emergency patches on Tuesday, but they do nothing to disinfect systems that are already at risk.
KrebsOnSecurity was the first to report the mass hack. The reporter Brian Krebs quoted several unnamed people and put the number of compromised US organizations at at least 30,000. There have been at least 100,000 hacked organizations worldwide, according to Krebs. Other news outlets, also citing unnamed sources, quickly followed in posts reporting that the hack had hit tens of thousands of organizations in the United States.
"This is the real business," said Chris Krebs, former head of the agency for cybersecurity and infrastructure security, on Twitter, referring to the attacks on on-premises Exchange, also known as Outlook Web Access. "If your organization runs an OWA server that is exposed to the Internet, compromise between 02/26/03/03." His comments were accompanied by a tweet on Thursday from Jake Sullivan, President Biden's White House national security adviser.
That's the real deal. If your organization runs an OWA server that is exposed to the internet, expect a compromise between 02/26/03/03. Look in C: inetpub wwwroot aspnet_client system_web for 8-character aspx files. If you get a match in this search, you are now in Incident Response Mode. https://t.co/865Q8cc1Rm
– Chris Krebs (@C_C_Krebs) March 5, 2021
Hafnium has company
Microsoft announced Tuesday that local Exchange servers were hacked in "limited targeted attacks" by a China-based hacking group the software maker calls Hafnium. Following Brian Krebs' contribution on Friday, Microsoft updated his post to state that "these vulnerabilities are increasingly being used in attacks on unpatched systems by multiple malicious actors outside of HAFNIUM."
Katie Nickels, director of intelligence at security firm Red Canary, told Ars that her team found Exchange servers compromised by hackers using tactics, techniques, and procedures that differ significantly from those of the hafnium group Microsoft named . She said Red Canary counted five "clusters that look different, (though) saying whether the people behind them are different or not is really challenging and unclear right now."
On Twitter, Red Canary said that some of the compromised Exchange servers the company has been tracking were running malware that was analyzed by the other security firm Carbon Black in 2019. The malware was part of an attack that installed cryptomining software called DLTminer. Hafnium is unlikely to install such a payload.
Microsoft said Hafnium is a skilled hacking group based in China primarily focused on stealing data from U.S. infectious disease researchers, law firms, higher education institutions, defense companies, political think tanks and non-governmental organizations. According to Microsoft, the group hacked Servers either by exploiting the recently fixed zero-day vulnerabilities or by using compromised administrator credentials.
It is not clear what percentage of the infected servers are from Hafnium. Microsoft warned Tuesday that simply taking advantage of the vulnerabilities made it likely that other hack groups would soon join Hafnium. If ransomware groups are not yet among the clusters putting servers at risk, it is almost inevitable that they will soon.
Brian Krebs and others reported that tens of thousands of Exchange servers have been compromised with a webshell that hackers install once they gain access to a server. The software allows attackers to enter administrative commands through a terminal window accessed through a web browser.
The researchers were careful to ensure that the simple installation of the patches Microsoft released in Tuesday's emergency release did nothing to disinfect servers that are already behind the door. The installed webshells and any other malicious software will persist until they are actively removed, ideally by completely rebuilding the server.
People who manage Exchange servers on their networks should delete everything they are doing and carefully examine their computers for any signs of compromise. Microsoft has listed compromise indicators here. Administrators can also use this script from Microsoft to test whether their environments are affected.
The escalation of the Exchange server hacks this week comes three months after security experts exposed the hack by at least nine federal agencies and about 100 companies. The main vector for infection was software updates from network tool maker SolarWinds. The mass hack was one of the worst computer intrusions in US history. The Exchange Server may soon claim this distinction.
There is still a lot that is unknown. For now, people would do well to follow Chris Krebs' advice to assume that local servers are compromised and act accordingly.