There has been a massive cyberattack on Microsoft Exchange email software hitting about 30,000 people in the United States. The attack is perceived to be initiated by a state-sponsored Chinese hacking group. The weakness of the Exchange Server that had been leveraged by a group called Hafnium has been patched but the trouble is not over yet. Following this, the criminals can now see what has been fixed and will now be able to reverse their exploits allowing attacks such as ransomware at anyone who is still exposed.
The effects were seen in the same week when Microsoft first released its patches. Many groups, which are yet to be identified, have been observed in getting in on the action in the recent few days, and it is also expected that there are many more hackers that are likely to come.
Some companies and organizations use the exchange server software by Microsoft, some get their email services through Microsoft and use their cloud offerings, while others run the exchange server on themselves. Last Tuesday, it was reported that Microsoft put out patches for four vulnerabilities or weaknesses in its Exchange Server software and announced that a state-sponsored Chinese hacking group called Hafnium has been behind this spree. On Monday, it was informed that several actors have been still taking advantage of unpatched systems with on-premises Exchange Server to attack companies. On the same day, in the evening, The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security said that there is an urgent need for vulnerable organizations to take some action. It is clear that no matter how bad things are right now, they are likely to get worse if proper action is not taken. As said by John Hultquist, who is a vice president of intelligence analysis at FireEye, there’s a point when moves like these move from the hands of espionage operators to the hands of criminals and open source, that’s when it becomes scary and that is what is happening right now.
Patches are considered to be vital for the protection of any organization but sometimes attackers like these can utilize these patches to understand and research more on the vulnerabilities and find out how to exploit them. After all this, it is also expected that cryptocurrency mining and ransomware are also going to enter this game. Threat intelligence analysts from the security firms Red Canary and Binary Defense are suggesting that attackers are already laying out groundwork on exposed Exchange servers to run crypto miners. Now the main thing that is concerning everyone right now is the release of a proof-of-concept exploit.
What Is a Proof-of-Concept?
Before realizing the potential harm it can bring, it becomes crucial to understand what do we mean by the above term. A proof of concept is nothing but an exercise in which it is determined whether or not an idea can turn into reality. This is done to determine the feasibility of the idea and the functionality of the idea.
The reason why everyone is scared with the release of Proof-of-concept is that this will help in providing a blueprint hacking tool for others to utilize. Although some researchers are working on getting proof-of-concept exploits to protect their customers, the only concerning thing becomes if the proof-of-concept gets published, making it available to everyone.
As of Tuesday, researchers from security firm Praetorian declared that they had developed an exploit for the Exchange vulnerabilities. According to the firm, they had consciously left out some key details so that any attacker, regardless of their skill, will be able to weaponize the tool. The Praetorian researchers, on Tuesday, said that they had chosen to refrain from releasing the complete exploit, but the full exploit will be released by the security community soon. On Wednesday, as reported by the security researcher Marcus Hutchins, there had been a public circulation of a working proof-of-concept. If we were to consider reality, we would have to understand that patching is a relatively slower process for many companies and organizations and usually the attackers or the hackers rely on the vulnerabilities that have been patched years ago and that can still occur in people’s networks and can be used at the time of such attacks. A lot of the companies usually do not have the funding or expertise to make major upgrades and migrate to the cloud. Also, health care, infrastructure, and other areas can sometimes make it difficult to make major changes in the system or shift from legacy services. According to Red Canary‘s Nickels, the public scans are still showing almost more than 10,000 Exchange servers that are vulnerable enough to get attacked real soon.
For organizations that are not able to update their Exchange servers for some reason, On Monday, Microsoft had issued additional emergency fixes for old and unsupported versions. However, the company has also emphasized the fact that these additional patches only consist of updates that are related to the four vulnerabilities that are currently being actively exploited. These patches are not going to bring deprecated versions of the Exchange server up to date.
It is interesting to note that as these incident responders work to heal the infections caused through these Exchange server vulnerabilities and brace themselves for a possible new wave of exploitation, they are also working on reflecting on the past high-profile hacking campaigns. Like for example, before the Microsoft Exchange server, we had something called SolarWinds, before SolarWinds there was Accellion. Although the scale and scope of such incidents differ a lot, the researchers are reluctant in concluding their larger impact.