Complex Made Simple

Microsoft’s email breach: All the latest

A sophisticated March 2 attack on Microsoft’s widely used business email software Exchange became a global cybersecurity crisis, as hackers raced to infect as many victims as possible

SolarWinds and HAFNIUM show the importance of arming security teams with tools to spot threats sooner At least 10 different hacking groups are using discovered flaws in Microsoft Corp's mail server software The patches do not remove any back door access that has already been left on the machines

A sophisticated March 2 attack on Microsoft’s widely used business email software Exchange became a global cybersecurity crisis, as hackers raced to infect as many victims as possible before companies can secure their computer systems. 

The attack initially claimed 60,000 known victims globally, many of them SMEs caught in a wide net the attackers cast as Microsoft worked to shut down the hack.

The rapidly escalating attack drew the concern of U.S. national security officials, in part because the hackers were able to hit so many victims so quickly. 

In the final phases of the attack, the hackers appeared to have automated the process, scooping up tens of thousands of new victims around the world in a matter of days.

The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially targeting only a small number of victims, according to Steven Adair, head of the northern Virginia-based Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix.

The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC.  

The SolarWinds hackers infected organizations of all sizes. 

Read: Microsoft records 30% increase in profits  

Read: Recent hack attacks, and 2020 stats for exposed data and paid ransomware

Microsoft said customers that use its cloud-based email system are not affected.

 Ed Hunter, CISO at Infoblox, told AMEinfo in an email: “SolarWinds and now HAFNIUM show the importance of arming networking and security teams with in-depth tools to spot threats sooner. This is crucial in the age of the persistent breach where nation-state actors are using cyber as a soft power alternative to diplomacy and military strikes, and where companies are getting hit as collateral damage. That the White House has formed a task force for HAFNIUM victims underscores the high stakes of preventing further fallout.” 

He added that a helping hand from the US federal network and security teams is on the way in the form of the approximately $14 billion earmarked in the newest stimulus bill for agencies to modernize core technologies. 

“That funding will provide a funding boost for these organizations who face constant cyberattacks from some of the world’s most elite hackers. Meanwhile, security practitioners in the public and private sectors continue to pivot to a zero-trust strategy to better detect these well-cloaked intrusions,” continued Hunter.

Extent of damage 

At least 10 different hacking groups are using recently discovered flaws in Microsoft Corp’s mail server software to break into targets around the world.

The security holes in the widely used mail and calendaring solution leave the door open to industrial-scale cyber-espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or move elsewhere in the network. 

New victims are being made public daily.

Norway’s parliament announced data had been “extracted” in a breach linked to the Microsoft flaws. 

Germany’s cybersecurity watchdog agency also said two federal authorities had been affected by the hack, although it declined to identify them.

While Microsoft has issued fixes, the sluggish pace of many customers’ updates means the field remains at least partially open to hackers of all stripes. 

The patches do not remove any back door access that has already been left on the machines.

In addition, some of the back doors left on compromised machines have passwords that are easily guessed, so that newcomers can take them over.

Internet security company Netcraft said it had run an analysis over the weekend and observed over 99,000 servers online running unpatched Outlook Web Access software.

Among other things, attackers installed and used software to take email data, Microsoft said.

Microsoft released patches for 2010, 2013, 2016, and 2019 versions of Exchange.

How does the hack work?

Tom Burt, a Microsoft corporate vice president, described in a blog post last week how an attacker would go through multiple steps:

First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.