Security vulnerabilities in Microsoft Exchange Server – the big end is yet to come16. March 2021
Security vulnerabilities in Microsoft Exchange Server – the big end is yet to come
Who was the first to draw attention to the security vulnerabilities in Exchange Server is difficult to determine. Chris Krebs , the former director of the Cybersecurity and Infrastructure Security Agency was one of the first to point it out on Twitter.
His namesake, journalist Brian Krebs, had researched that attacks on the Exchange vulnerability had been going on since January 6 of this year. Steven Adair, head of the IT security firm Volexity, had been following the developments. According to his notes, the attackers initially selected a small number of targets, but then in February they began to automatically provide tens of thousands of e-mail servers with backdoors on a daily basis. After Microsoft disclosed the gap, thousands more attacks occurred, he said.
However, (only) on March 2, Microsoft provided security updates for four vulnerabilities and announced (or admitted) that the gap was already being actively exploited. The attackers were also clear: it was the criminal hacker group Hafnium, which, according to Microsoft, is close to the Chinese state. Microsoft also seemed to know how they went about it: The hackers would work with rented virtual private servers in the USA. Logically, the Chinese government has denied the accusations.
In the meantime, it is becoming increasingly clear that apart from the “Chinese”, just about everyone who qualified for the hack used or is still using the opportunity, because it cannot be ruled out that some IT departments have still not taken any countermeasures.
In the meantime, there is a still incomplete overview of who is affected: In the USA alone, 30,000 government institutions and companies are said to have been hacked over the four Zero Days, according to Krebs. Small businesses or municipalities, police departments, hospitals and credit administrations were affected, he said. Globally, Krebs estimates hundreds of thousands of organizations were affected.
According to Check Point, Turkey, the U.S. and Italy are currently the most affected by exchange attacks. The researchers identified percentages of 19, 18 and 10 percent for the three countries. The most common targets include government and military agencies, industrial companies, banks, the healthcare sector and educational institutions. Palo Alto Networks, meanwhile, estimates that at least 125,000 Exchange servers worldwide are likely to be unpatched.
The attacks initially targeted mainly U.S. research institutions dealing with pandemics, universities, law firms or organizations in the defense sector. White House spokeswoman Jennifer Psaki called it a “current threat” and advised people to install an available security update as soon as possible. “We are concerned that there are a large number of victims.”
Meanwhile, Microsoft also stopped short of denying that it is no longer the “Chinese” alone but criminal hacker groups that are exploiting the vulnerability. In a recent analysis, the IT security firm ESET comes to at least ten such groups, which would have already placed web shells in more than 5,000 Exchange servers in more than 115 countries. The European Banking Authority (EBA), for example, reported itself as being attacked.
According to F-Secure security expert Rüdiger Trost, German companies are particularly badly affected in an international comparison. Background: “German companies fear the cloud and therefore often operate services such as Exchange locally.”
The German Federal Office for Information Security (BSI) estimated the threat from cyber attackers at 9,000 companies and other institutions to be so high that they were warned of the danger by letter post. As of a few days ago, it has set the threat level to “Level 4/Red.” This means: “The IT threat situation is extremely critical. Failure of many services, regular operations cannot be maintained.” On Twitter, BSI President Arne Schönbohm wrote over the weekend , that the agency is particularly concerned about “small and medium-sized businesses in Germany.” “It is to be expected that cyber criminals will soon attack in an automated way, i.e. a big wave is coming to organizations worldwide.” According to Schönbohm, there were still “20,000 known open systems at the time of his statement.”
According to the BSI, eight federal authorities are affected. In at least two cases, a compromise is assumed. One affected agency is the Federal Environment Agency.
Local authorities have also issued warnings and are urging companies to install updates. A current example: Since the end of last week, several reports of data breaches have already been received, the state commissioner’s office announced on Thursday.
Looking into the future, Rüdiger Trost sees black: The thick end is coming “Everything is conceivable: Attacks on companies with the aim of blackmail, industrial espionage, but also attacks on critical infrastructure.”