Tech - News - Tech Companies
Updated: March 06, 2021

30,000 Organizations Newly Hacked Via Microsoft Server Flaws

By Oluwatosin Ogunjuyigbe
March 06, 2021
0

Loopholes found in Microsoft's Exchange server have led to the compromise of about 30,000 organizations across the United States — including a significant number of small businesses, towns, cities, and local governments by Chinese hackers.

According to KrebsOnSecurity, a security news outlet, The Chinese espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

According to Microsoft, the vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

Security experts say however that since then, the same Chinese cyber-espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

The exploits have been patched by Microsoft, but security experts talking to Krebs say that the detection and cleanup process will be a massive effort for the thousands of state and city governments, fire and police departments, school districts, financial institutions, and other organizations that were affected.

KrebsOnSecurity and Wired report that the attack was carried out by Hafnium, a Chinese hacking group. While Microsoft hasn’t spoken to the scale of the attack, it also points to the same group as having exploited the vulnerabilities, saying that it has “high confidence” that the group is state-sponsored.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

Both the White House National Security Advisor, Jake Sullivan, and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs have tweeted about the severity of the incident.

This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021