Widespread attacks hit thousands of organizations with potentially tens of thousands of organizations affected, according to the Krebsonsecurity researcher. The attackers abuse four ‘zero-day’ vulnerabilities in Microsoft Exchange Server.
Microsoft issued emergency patches last week for the bugs which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Microsoft attributes these attacks to a newly discovered hacking team which it calls “Hafnium,” and says it is most likely backed by China. According to Microsoft, these were “limited targeted attacks” but the company warned we could see more of these attacks in the near future.
Several US agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued advisories and ordered all agencies to apply Microsoft patches for their Exchange systems. As an alternative, the agencies are also advised to simply disconnect vulnerable servers.
Microsoft urged its customers who use Microsoft Exchange Server, ranging from large enterprises to small businesses, to apply the patches immediately because it feared nation-state adversaries and hacker groups will try to quickly take advantage of any unpatched systems.
Despite these efforts, there have been already many victims. Brian Krebs, the author behind the Krebsonsecurity cybersecurity blog, revealed that his sources told him some 30,000 US organizations have been hacked by Hafnium in this campaign against MS Exchange servers. He also noted that the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches.
“The intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers,” writes Krebs.
The Hafnium attackers use “web shells” on compromised Exchange servers to steal data and install more malware. Web shells are small scripts that give hackers remote access to a compromised system.
CISA over the weekend warned of the widespread campaign and urged organizations to scan and update their systems. But many do not update their software even despite nation-state attackers exploiting the bug. Microsoft previously found that tens of thousands of Exchange servers remained unpatched.
Chris Krebs, the former director of CISA, believes the Exchange bugs will keep affecting mostly small businesses and organizations in the education sector and state and local governments.