Thousands of businesses around the globe hit by Microsoft email hack attack
By Hemanth on Mar 09, 2021 | 05:39 AM IST
A sophisticated attack on Microsoft Corp.’s [MSFT] widely
used business email software is morphing into a global cybersecurity crisis, as
hackers race to infect as many victims as possible before companies can secure
their computer systems.
The
attack, which Microsoft has said started with a Chinese government-backed hacking
group, has so far claimed at least 60,000 known victims globally, according to
a former senior U.S. official with knowledge of the investigation. Many of them
appear to be small or medium-sized businesses caught in a wide net the
attackers cast as Microsoft worked to shut down the hack.
The
European Banking Authority became one of the latest victims as it said Sunday
that access to personal data through emails held on the Microsoft server may
have been compromised. Others identified so far include banks and electricity
providers, as well as senior citizen homes and an ice cream company, according
to Huntress, a Ellicott City, Maryland-based firm that monitors the security of
customers, in a blog post Friday.
One
U.S. cybersecurity company which asked not to be named said its experts alone
were working with at least 50 victims, trying to quickly determine what data
the hackers may have taken while also trying to eject them.
The
rapidly escalating attack came months after the SolarWinds Corp. breaches by suspected
Russian cyberattackers, and drew the concern of U.S. national security
officials in part because the latest hackers were able to hit so many victims
so quickly. Researchers say in the final phases of the attack, the perpetrators
appeared to have automated the process, scooping up tens of thousands of new
victims around the world in a matter of days.
Washington
is preparing its first major moves in retaliation against foreign intrusions
over the next three weeks, the New York Times reported, citing unidentified
officials. It plans a series of clandestine actions across Russian networks --
intended to send a message to Vladimir Putin and his intelligence services --
combined with economic sanctions. President Joe Biden could issue an executive
order to shore up federal agencies against Russian hacking, the newspaper
reported.
“We
are undertaking a whole of government response to assess and address the
impact,” a White House official wrote in an email on Saturday. “This is an
active threat still developing and we urge network operators to take it very
seriously.”
The
Chinese hacking group, which Microsoft calls Hafnium, appears to have been
breaking into private and government computer networks through the company’s
popular Exchange email software for a number of months, initially targeting
only a small number of victims, according to Steven Adair, head of the northern
Virginia-based Volexity. The cybersecurity company helped Microsoft identify
the flaws being used by the hackers for which the software giant issued a fix
on Tuesday.
The
result is a second cybersecurity crisis coming just months after suspected
Russian hackers breached nine federal agencies and at least 100 companies
through tampered updates from IT management software maker SolarWinds LLC.
Cybersecurity experts that defend the world’s computer systems expressed a
growing sense of frustration and exhaustion.
Washington
is preparing its first major moves in retaliation against foreign intrusions
over the next three weeks, the New York Times reported, citing unidentified
officials. It plans a series of clandestine actions across Russian networks --
intended to send a message to Vladimir Putin and his intelligence services --
combined with economic sanctions. President Joe Biden could issue an executive
order to shore up federal agencies against Russian hacking, the newspaper
reported.
“We
are undertaking a whole of government response to assess and address the
impact,” a White House official wrote in an email on Saturday. “This is an
active threat still developing and we urge network operators to take it very
seriously.”
Hafnium
The
Chinese hacking group, which Microsoft calls Hafnium, appears to have been
breaking into private and government computer networks through the company’s
popular Exchange email software for a number of months, initially targeting
only a small number of victims, according to Steven Adair, head of the northern
Virginia-based Volexity. The cybersecurity company helped Microsoft identify
the flaws being used by the hackers for which the software giant issued a fix
on Tuesday.
The
result is a second cybersecurity crisis coming just months after suspected
Russian hackers breached nine federal agencies and at least 100 companies
through tampered updates from IT management software maker SolarWinds LLC.
Cybersecurity experts that defend the world’s computer systems expressed a growing
sense of frustration and exhaustion.
The
good guys are getting tired,” said Charles Carmakal, a senior vice president at
FireEye Inc., the Milpitas, California-based cybersecurity company.
Asked
about Microsoft’s attribution of the attack to China, a Chinese foreign
ministry spokesman said Wednesday that the country “firmly opposes and combats
cyber attacks and cyber theft in all forms” and suggested that blaming a
particular nation was a “highly sensitive political issue.”
Both
the most recent incident and the SolarWinds attack show the fragility of modern
networks and sophistication of state-sponsored hackers to identify hard-to-find
vulnerabilities or even create them to conduct espionage. They also involve
complex cyberattacks, with an initial blast radius of large numbers of
computers which is then narrowed as the attackers focus their efforts, which
can take affected organizations weeks or months to resolve.
In
the case of the Microsoft bugs, simply applying the company-provided updates
won’t remove the attackers from a network. A review of affected systems is
required, Carmakal said. And the White House emphasized the same thing,
including tweets from the National Security Council urging the growing list of
victims to carefully comb through their computers for signs of the attackers.
Initially,
the Chinese hackers appeared to be targeting high value intelligence targets in
the U.S., Adair said. About a week ago, everything changed. Other unidentified
hacking groups began hitting thousands of victims over a short period,
inserting hidden software that could give them access later, he said.
Adair
said that other hacking groups may have found the same flaws and began their
own attacks -- or that China may have wanted to capture as many victims as
possible, then sort out which had intelligence value.
Either
way, the attacks were so successful -- and so rapid -- that the hackers appear
to have found a way to automate the process. “If you are running an Exchange
server, you most likely are a victim,” he said.
Data
from other security companies suggest that the scope of the attacks may not end
up being quite that bad. Researchers from Huntress examined about 3,000
vulnerable servers on its partners’ networks and found about 350 infections --
or just over 10%.
While
the SolarWinds hackers infected organizations of all sizes, many of the latest
batch of victims are small-to medium-sized business and local government
agencies. Organizations that could be most impacted are those that have an
email server that’s running the vulnerable software and exposed directly to the
internet, a risky setup that larger ones usually avoid.
Smaller
organizations are “struggling already due to Covid shutdowns -- this
exacerbates an already bad situation,” said Jim McMurry, founder of Milton
Security Group Inc., a cybersecurity monitoring service in Southern California.
“I know from working with a few customers that this is consuming a great deal
of time to track down, clean and ensure they were not affected outside of the
initial attack vector.”
McMurry
said the issue is “very bad” but added that the damage should be mitigated
somewhat by the fact that “this was patchable, it was fixable.”
Microsoft
said customers that use its cloud-based email system are not affected.
The
use of automation to launch very sophisticated attacks may mark a new,
frightening era in cybersecurity, one that could overwhelm the limited
resources of defenders, several experts said.
Some
of the initial infections appear to have been the result of automated scanning
and installation of malware, said Alex Stamos, a cybersecurity consultant.
Investigators will be looking for infections that led to hackers taking the
next step and stealing data -- such as e-mail archives -– and searching them
for any valuable information later, he said.
“If I was
running one of these teams, I would be pulling down email as quickly as
possible indiscriminately and then mining them for gold,” Stamos
said.
Source: fortune