Vendor’s Exchange Server has been hit with reported China-sponsored attack
US president Joe Biden has formed a task force to monitor and combat a major cyberattack on Microsoft’s Exchange Server software.
The vendor first revealed earlier this month that it had detected what it claimed was an assault backed by the Chinese government that “has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.
The attack, which Microsoft named Hafnium, “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs”, according to a blog from Microsoft corporate vice president Tom Burt.
The number of organisations that may have been affected by the hack is not clear, although is widely reported to be tens of thousands; the Wall Street Journal cited a source who claimed the figure could be as high as 250,000.
In light of this, the president is creating a team to keep tabs on the matter and support work to combat the attack and assist in recovery.
In a recent briefing, White House press secretary Jen Psaki said: “This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat. And… everyone running these servers — government, private sector, academia — needs to act now to patch them. We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”
She added: “Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps. The Cybersecurity and Infrastructure Security Agency issued an emergency directive to agencies, and we’re now looking closely at the next steps we need to take… We urge network operators to take it very seriously.”
In the last week, Microsoft has released a number of updates and security patches – including for Exchange Server products that were previously no longer supported by the vendor.
Organisations are advised to upgrade to the latest version of all programs as soon as practicable – but are also warned that this will not expel attackers who have already breached their network.
“[We] strongly recommend investigating your Exchange deployments using [our] hunting recommendations… to ensure that they have not been compromised,” said an update from the vendor’s online security centre. “We recommend initiating an investigation in parallel with or after applying one of the [suggested] mitigation strategies.”
The blog from Burt claimed that, although the attack stemmed from China, it was launched “primarily from leased virtual private servers in the United States”.
“The attacks included three steps,” he added. “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network.”