What just happened? Four exploits found in Microsoft Exchange Server software have led to some 30,000 U.S. government and commercial organizations - including police departments, hospitals, and nonprofits - having their emails hacked. Microsoft rolled-out a patch to fix four zero-day exploits in Exchange Server a few days ago, but that hasn't stopped a hacking group from taking advantage of the situation.
According to Microsoft, the vulnerabilities in Exchange Server are being targeted by a previously unknown Chinese hacking group known as "Hafnium." In the days since Microsoft issued the patch for Exchange, the group is said to have dramatically doubled-up its efforts, targeting unpatched servers around the world and accessing the accounts of some 30,000 U.S. organizations. This is said to include local governments, banks, and credit units, as well as police departments, hospitals, and nonprofits.
Krebs on Security explains, "In each incident, the intruders have left behind a 'web shell,' an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers."
Although the attacks have exploded in recent days, the group has reportedly been taking advantage of the vulnerabilities since early January. In fact, the first attacks were quietly targeting users on January 6, 2021 - a day when all eyes were focused on the U.S. Capitol.
Thoughts on the Hafnium Exchange hack: (1) it's going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days. https://t.co/bc5yutThve
--- Chris Krebs (@C_C_Krebs) March 6, 2021
Microsoft explains that self-hosted servers running Exchange Server 2013, 2016, or 2019 are at risk and should download its security patch as a matter of urgency. If your organization uses Exchange Online, it won't be affected.