Hackers Steal Email From 30K US Orgs Via Microsoft Flaw: Report

‘It’s police departments, hospitals, tons of city and state governments and credit unions. Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack,’ a source tells KrebsOnSecurity.

Chinese hackers have taken advantage of four Microsoft Exchange Server vulnerabilities to steal emails from at least 30,000 organizations across the United States, KrebsOnSecurity reported.

The state-sponsored Hafnium hacking group has dramatically ramped up its attacks on American small businesses, towns, cities and local governments since Microsoft released a patch late Tuesday, according to KrebsOnSecurity. The victims include thousands of U.S. banks, credit union, non-profits, public utilities, telecommunications providers, and police, fire, and rescue units, KrebsOnSecurity reported.

“It’s police departments, hospitals, tons of city and state governments and credit unions,” one source working closely with federal officials told KrebsOnSecurity. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

[Related: Microsoft Exchange Vulnerability Much Larger Than Company Is Saying: Huntress]

Microsoft said Friday it’s working closely with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), other government agencies and security companies to provide the best guidance and mitigation for customers. Most victim organizations so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally, KrebsOnSecurity said.

“They [Microsoft] will say, ‘Patch, but it’s better to go to the cloud,’” one government cybersecurity expert told KrebsOnSecurity. “But how are they securing their non-cloud products? Letting them wither on the vine.”

The Chinese hackers have seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected system, Krebs reported. In each recent attack against vulnerable, unpatched Exchange servers, KrebsOnSecurity said Hafnium has left behind an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.

Over the past few days, Hafnium has shifted into high gear, moving quickly to scan the internet for Exchange servers that aren’t yet protected by Microsoft’s security updates, Volexity President Steven Adair told KrebsOnSecurity. Volexity said Tuesday it has seen exploitation of Microsoft Exchange vulnerabilities to steal email and compromise networks, with the attacks beginning back on Jan. 6.

Adair told KrebsOnSecurity Friday that he’s fielded dozens of calls from state and local government agencies pleading for help after identifying backdoors in their Exchange servers. But patching only blocks Hafnium’s entry points into an organization and doesn’t undo the damage that’s already been inflicted, according to KrebsOnSecurity.

The longer it takes for victims to remove the backdoors, the more likely it is that Hafnium will follow up by installing additional backdoors and potentially broadening the attack to include other portions of the victim’s network infrastructure, Adair told KrebsOnSecurity. Many local governments and school districts are desperately clamoring for help, a government cybersecurity expert told KrebsOnSecurity.

“If these numbers are in the tens of thousands, how does incident response get done?” the expert said to KrebsOnSecurity. “There are just not enough incident response teams out there to do that quickly.”

Microsoft claimed Tuesday that Chinese hackers were executing only “limited and targeted attacks” against on-premises Exchange servers. But managed detection and response (MDR) vendor Huntress has pushed back against Microsoft’s attempts to downplay the attacks, arguing the scope of compromise is widespread.

Roughly 800 of the 3,000 Exchange servers Huntress has checked are still susceptible to the zero-day vulnerabilities being exploited by Chinese hacking group Hafnium, Senior Security Researcher John Hammond said in a Friday update to his blog post. In addition, Huntress said Friday that more than 300 of its partners’ servers have received malicious web shell payloads.

“This seems to be a much larger spread than just ‘limited and targeted attacks’ as Microsoft has suggested,” Hammond wrote in his initial blog post Wednesday. “These [victim] companies do not perfectly align with Microsoft’s guidance.”