Hackers have been targeting bugs in Exchange Server since early January.
Four exploits in Microsoft Exchange Server applications have resulted in about 30,000 U.S. government and private agencies – including police forces, universities, and non-profit organisations – getting their emails compromised. Microsoft put out a patch to repair four zero-day vulnerabilities in Exchange Server a couple of days ago, but it didn’t deter a hacking party from taking advantage of the situation.
According to Microsoft, flaws in Exchange Server was targeted by a previously unknown Chinese hacker community known as “Hafnium.” In the days after Microsoft released an Exchange fix, the community is said to have significantly doubled its activities, attacking unpatched servers around the globe, and breaching the accounts of some 30,000 U.S. organisations. State councils, banks and lending units, as well as police forces, hospitals and non-profits are said to be part of this.
Krebs on Security explains that, “In each incident, the intruders have left behind a ‘web shell,’ an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.”
Although the attacks have escalated in recent days, the group has allegedly been taking advantage of vulnerabilities since the beginning of January. In reality, the first attacks were silently attacking users on January 6, 2021 – a day when all eyes were fixed on the U.S. Capitol.
Thoughts on the Hafnium Exchange hack: (1) it’s going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days. https://t.co/bc5yutThve
— Chris Krebs (@C_C_Krebs) March 6, 2021
Microsoft explains that self-hosted servers running Exchange Server 2013, 2016, or 2019 are at risk and should download its security patch as a matter of urgency. If your organization uses Exchange Online, it won’t be affected.