The quiet release of an out of band patch for a flaw in Microsoft’s Exchange server is rapidly turning into a major story, with credible reports of at least 30,000 organizations in the USA, and possibly hundreds of thousands around the world, being hacked by a Chinese hacker group, who now has full control of the servers and the data on them.
Krebs on Security reports that a significant number of small businesses, towns, cities and local governments have been infected, with the hackers leaving behind a web shell for further command and control.
Microsoft said the original attacks were targetted at a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, but Krebs notes that there has been a dramatic and aggressive escalation of the rate of infection, as the hackers try and stay ahead of the patch Microsoft released.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” said Volexity President Steven Adair, who discovered the attack . “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
A tool is available on Github to identify infected servers over the internet, and the list is worrying.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
The size of the attack so far raises concerns about the remediation phase.
“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”
“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
Some have pointed a finger at Microsoft for allowing the attacks to occur, especially since their cloud products have not been affected.
“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”