IOTW: A Massive Zero-Day Attack On Microsoft Exchange Users

What seemingly began as a targeted hack on government agencies and large enterprises turned into a massive zero-day Microsoft Exchange attack.

Facts

At the beginning of the month, security firm Volexity uncovered a Microsoft vulnerability that allows hackers to take advantage of an Exchange Server flaw. It appears the threat actors have been planting web shells that enable administrative access and the ability to steal data as far back as January. The victims were targeted through their self-hosted Outlook Web Access manager. Cloud-based Outlook accounts remain secure.

The scale of the attack is astonishing. Cyber security experts believe that initially, the hacking campaign zeroed in on specific high-value victims. However, over time—and as Microsoft caught wind of the vulnerability—the hack exploded, affecting mainly small-to-midsized companies who notoriously lack a holistic cyber security framework. The patch Microsoft rolled out on March 3 only seemed to heighten the hacking efforts, presumably to install as many backdoors as possible before the patch was downloaded. As reported by Fortune on March 8, the hack boasts 60,000 victims and counting. In an unprecedented—and telling—act, Microsoft provided additional security patches for old, unsupported versions of Exchange.

Related: NSA Shares Vulnerability Discovered In Microsoft Windows 10 And Server Platforms

Further, it appears that a number of other state-sponsored and rogue hacking groups were tipped off to the vulnerability. Several additional hacking groups have recently been identified as taking advantage of the vulnerability shortly after the patch was released.  To make matters worse, the hackers managed to automate their hacking campaign, allowing them to quickly expand their efforts across the globe. From non-profits to ice cream companies; senior citizens homes to banks, no sector was left untouched.

A Chinese state-sponsored hacking group, which Microsoft refers to as Hafnium, is allegedly behind the hack. It is possible that the hack may surpass even the Russian SolarWinds attack from earlier this year in scope and scale. Best-case scenario is that these groups are simply gathering intel and engaging in espionage campaigns. Worst case, malicious software and ransomware is being left behind.

Microsoft has remained tight-lipped about the hack, simply stating that the investigation is ongoing and that it is working closely with the US Cybersecurity & Infrastructure Security Agency. For its part, the new administration has promised to act aggressively toward cyber security threats. In the case of the Russian-led SolarWinds hack, a government response, including but not limited to economic sanctions, is in the works. Experts insist that such a response is issued to China as well.

Related: Nation State Cyber Security Behavior

If gone unanswered, it sends a clear message that massive hacking campaigns are effective and worthwhile. After all, while most of the breached systems do not offer much in the way of return, hackers now have hundreds of thousands of emails to comb through at their leisure. What they’ll do with that intel, only time will tell.

Quick Tips

While the patch prevents new breaches, it does nothing to clean up the damage left behind if a system has already been breached. In this scenario, it is strongly suggested that those who fit the victim criteria assume they have been compromised and act accordingly. This includes:

1. Patching immediately, assuming this hasn’t been done already.
2. Searching (or hiring a team) to search for malicious activity.
3. If neither of these options is viable, disconnect your email infrastructure and rebuild it.
4. Move to the cloud.

The Cybersecurity and Infrastructure Security Agency offers additional in-depth mitigation advice here.  

Read More: Incident Of The Week