Chinese hackers using an exploit in Microsoft’s Outlook email software likely netted “high-value espionage targets,” according to the Wall Street Journal, citing ‘people briefed on the matter.’
The victims – which range from as few as ‘tens of thousands’ to ‘higher than 250,000’ Outlook users – appear to primarily be small businesses and state and local governments. One security firm, Mandiant, said in a blog post this week that Exchange Server abuse dates back to January, and that victims also included at least one university and an engineering firm.
The hackers have been exploiting a series of four flaws in Microsoft’s Exchange software to break into email accounts and read messages without authorization, and to install unauthorized software, the company said. Those flaws are known as zero days among cybersecurity professionals because they relied on previously undisclosed software bugs, suggesting a high degree of sophistication by the hackers. –WSJ
“It was being used in a really stealthy manner to not raise any alarm bells,” said cybersecurity expert, Steven Adair, whose firm Volexity Inc. was one of the first to flag Microsoft about the issue.
On Tuesday, Microsoft went public with the attack and identified the culprits as a Chinese cyperespionage group called Hafnium. Once caught, a software patch was issued – however before that happened, the hackers switched tactics and began using automated software to identify vulnerable servers on the internet and target them, said Adair.
“The attackers cranked up a huge notch over this past weekend,” he said, adding “They’re just hitting every Exchange server they can find on the internet.“
Despite the likely ‘high-value espionage targets,’ the Journal says the hackers were unlikely to have much in the way of intelligence due to the nature of the victims. That said, several government officials have gone on record to warn about its potential severity – while the Cybersecurity Infrastructure Security Agency “Issued a rare emergency directive this past week requiring federal government agencies to immediately patch or disconnect products running Microsoft Exchange on-premises products.” CISA also issued a Thursday update to its alert warning that the Chinese hackers were using automated tools to crawl the internet for vulnerable Exchange servers.
CISA held a call Friday with more than 4,000 critical infrastructure partners in the private sector and state and local governments encouraging them to patch their systems.
Also on Friday, White House press secretary Jen Psaki told reporters during a press briefing that the Microsoft vulnerabilities were of significant concern and “could have far-reaching impacts” and result in a “large number of victims.” –WSJ
On Friday, a Microsoft spokesman said they’re working with security companies and government agencies to contain the incident, however they would not disclose the estimated scope of the attack.
This latest hack comes three months after a suspected Russian hack after US networking-software provider SolarWinds was infiltrated, resulting in a breach of nine government agencies and around 100 companies. The difference, according to the Journal, is that this Chinese hack was “more of a shotgun blast, infecting tens of thousands of victims or more.”
While Microsoft has said the two attacks aren’t related, security experts cited by the Journal have suggested that incident-response teams have their hands so full with fallout from the SolarWinds hack that they are “already pushed to their limits.”
According to Symantec security researcher Vikram Thakur, a “handful” of hacking groups, “all linked to China,” are behind the attacks, while the victims “have tended to be small and medium-size organizations because many larger ones either don’t run some of the Exchange components that include these flaws or limit access to Exchange by using security tools such as virtual private networks,” according to Thakur.
Those using Microsoft’s cloud-based Office 365 products are unaffected by the hack.