Summary List Placement
In late 2020, news broke of a massive hacking campaign targeting thousands of users of software from IT firm SolarWinds. The scope of that attack felt unprecedented but now, just months later, a separate hacking campaign has compromised an even larger swath of victims.
Microsoft disclosed last week that a hacking group linked to China was exploiting vulnerabilities in its Exchange Server email software to spy on companies. It urged all Exchange Server users to install new emergency software updates to patch the security holes (the vulnerabilities do not affect Exchange Online, a separate cloud-based product).
Evidence suggests that the Exchange cyberattack could be one of the largest hacking campaigns ever. At least 30,000 US businesses and government agencies have been hacked, according to a report by independent security journalist Brian Krebs citing unnamed US security officials, which was subsequently confirmed by Wired. The total number of affected firms could be significantly higher, with small and medium US businesses notably targeted.
“SolarWinds had crippling effects on hundreds of businesses and nearly a dozen US government agencies, yet it’s safe to say the Exchange Server breach is 1,000 times more crippling because the Chinese attacked small and medium sized businesses, the lifeblood of the US and global economy,” Lior Div, CEO and co-founder of the security firm Cybereason, told Insider.
The US Cybersecurity and Infrastructure Security Agency has published an emergency directive urging all agencies running Exchange servers to either install software updates immediately or remove the software from their networks. White House press secretary told reporters Friday that the administration is “concerned that there are a large number of victims” and that the hacks “could have far-reaching impacts.” Hackers exploited so-called “zero-day” vulnerabilities, meaning nobody was aware of the security holes until the attacks were detected.
A Microsoft spokesperson said in a statement to Insider that it is “working closely with the CISA, other government agencies, and security companies” to share information regarding the Chinese hacking group, which it has dubbed “Hafnium.”
The rate of Exchange hacks is on the rise since Microsoft disclosed the vulnerabilities
Researchers with the cybersecurity firm Kaspersky have detected a rise in the number of attacks attempting to exploit the Exchange vulnerability, even in the days after Microsoft released the patch. They’ve logged attacks in over 100 countries in “every part of the world,” with US and European organizations hit the most frequently, Kaspersky VP for threat research Anton Ivanov told Insider in an emailed statement.
“Even though the initial attacks may have been targeted, there is no reason for actors to not try their luck by attacking essentially any organization that runs a vulnerable server,” Ivanov said.
Red Canary, another threat intelligence firm, has also noticed a rise in Exchange attacks in recent days, director of intelligence Katie Nickels told Insider. Some of the recent hacks appear to be coming from entities other than the Chinese Hafnium group, which could be the result of other hackers reverse-engineering Microsoft’s patch updates to figure out the vulnerabilities — making future hacks even less predictable.
“These vulnerabilities are very serious due to the prevalence of Exchange,” Nickels said in an email. “The challenge researchers have is that it’s unclear how those clusters may be related or not.”
How to figure out if you’re vulnerable to hacks — and ensure your Exchange server is protected
Experts told Insider that any organization running an Exchange server could be vulnerable to the hacks, and that the nature of Exchange’s security holes would make it easy for intruders to escalate their attacks by stealing sensitive information, damage victims’ servers, or encrypting their data and holding it for ransom.
Organizations running Exchange should update their software immediately, keep tabs on outgoing traffic, and make backups of their existing files, experts said.
Hackers exploiting the Exchange vulnerabilities have been able to leave behind “web shells,” or tools that let hackers easily access victims’ systems remotely after first gaining access. That means hackers could use their access to inflict even more damage by installing ransomware and holding victims’ systems hostage for money — a move that could have devastating effects.
Researchers have started developing open-source tools that let companies check whether they’ve been impacted by the hacks. Microsoft threat intelligence analyst Kevin Beaumont published a tool on GitHub that detects whether a specified URL is vulnerable. CISA has urged potential targets to run the tool immediately to determine whether they could be a target of hacks.