At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.
But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
This is a huge problem, because Exchange is only used by just about every big business in America, not to mention numerous government agencies. It dominates the market so thoroughly that it’s hard to find market share reports on its competitors.
This hack, of course, is the second big Chinese hack, following the office of Personnel and Management hack under the Obama Administration.
Here’s a timeline of the hack. Evidently Chinese hackers exploited no less than four zero day exploits to pull off the hack.
Internet security is hard, and no one in the Federal government (with the possible exception of DoD and certain three initial agencies) seems to take it seriously.
Tags: China, Crime, data security, hacking, Hafnium, Microsoft, Microsoft Exchange, technology, Volexity, zero day exploit
Quote: This hack, of course, is the second big Chinese hack, following the office of Personnel and Management hack under the Obama Administration.
Notice the pattern? A major hack under Obama (D). No major hack under Trump (R). Another major hack just after Biden (D) takes office. The Chinese know who they can push around and who they can’t.
@Nike Perry
I would have to go digging but I’m pretty sure there were hacks under Trump, too. They’ve been pretty steady for the last 15 years or so, regardless of administration.
Actually, if you see the timeline, the first intrusions date back to January 3, while Trump was still in the White House.
Though I suspect fear of trump did indeed keep the Chinese in check more than Joe “10% For The Big Guy” Biden…