Microsoft has blamed a state-sponsored hacking group from China for a series of attacks on the company’s Exchange Server product, which is used to deliver email, calendaring, contact, scheduling, and collaboration services.
From a group Microsoft has dubbed Hafnium, the attacks target versions of Exchange Server operated on-premises at organizations instead of the Microsoft 365 cloud-based version.
Hafnium is a “highly skilled and sophisticated actor” that targets organizations in the United States to steal information, Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a March 2 blog post. Among the organizations targeted by the group are infectious disease researchers, law firms, higher education institutions, defense contractors, and policy think tanks, he wrote.
During the zero-day attacks detailed by Microsoft, the hackers accessed Exchange Servers that enabled access to email accounts and allowed the installation of additional malware intended to give them long-term access to the targeted IT environments. Microsoft issued a series of updates to fix the exploits.
An attacker first gained access to an Exchange Server either with stolen passwords or by using “previously undiscovered vulnerabilities to disguise itself as someone who should have access,” Burt added. The attacker then created a web shell to control the compromised server remotely. The attacker could then steal data from the targeted organization.
Cybersecurity professionals urged organizations running on-premises Exchange Servers to install the security updates.
If an organization sees additional compromise indicators after applying the updates, it should enact its cybersecurity incident response plan or hire an outside cybersecurity firm to assist with remediation, advised Clay Gooch, the chief information security officer at Headstorm, a cybersecurity and data science company.
Organizations also need to rethink password security, said Noah Johnson, chief technology officer and co-founder of Dasera, a cloud security vendor.
“Once the dust settles from this attack, it’s important to note that the first step in this attack, like so many other attacks today, leverages stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access,” he told the Washington Examiner.
But with passwords commonly compromised, organizations need to question monitor data after someone has accessed it using a password, he said, adding, “Organizations need to assume that any credential can be compromised, and they need to have systems in place that automatically monitor how data is being accessed and used.”
There’s some debate among cybersecurity experts about whether companies should consider scrapping their on-premises email and calendar servers. Whether to make the change depends on several risk factors, Gooch said.
“If the COVID pandemic has taught us anything, it is that remote work is here to stay,” he told the Washington Examiner. “By leveraging a cloud-based email provider, organizations are able to quickly reduce risk of outages and vulnerabilities. However, these services must be configured correctly to not expose your organization. At the end of the day, organizations must understand how and what they want to protect.”
Recent examples of cloud-based services being compromised include the theft of 100 million credit applications from the Amazon Web Services cloud, noted Greg Scott, a cybersecurity professional and senior technical account manager at Red Hat. “Attackers probe cloud services for vulnerabilities, just like they probe on-premise services for vulnerabilities,” he told the Washington Examiner.
The Exchange Server attacks shouldn’t raise new questions about Microsoft products’ safety, most cybersecurity experts said. “Microsoft products are as safe as any others,” Scott said. “Microsoft products are popular, and so more people attack them.”
Still, there’s some disagreement among cybersecurity professionals about how Microsoft or the U.S. government should respond to these attacks if they indeed came from a state-sponsored Chinese hacking group.
People shouldn’t be shocked that the Chinese exploited a vulnerability, Scott said. “We do it to the Chinese.”
Still, Gooch encouraged the Biden administration to enter into diplomatic talks with China to shut down state-sponsored hacking groups.
The Biden administration has promised to make cybersecurity a top priority, noted Daniel Castro, vice president of tech-focused think tank the Information Technology and Innovation Foundation and director of its Center for Data Innovation.
“The administration has said it will seek to hold bad actors accountable for cyberattacks,” he told the Washington Examiner. “This is its first big test. The U.S. government should retaliate swiftly and publicly. China should face punitive measures if the U.S. government corroborates that this was carried out by Chinese hackers.”
