Microsoft is racing to patch its Microsoft Exchange Servers after identifying a massive server hack as cyber-espionage in recent weeks.
Microsoft says it suspects Hafnium, a Chinese state-sponsored outfit primarily focused on exfiltrating information from several United States industries and others running large mail exchanges, as being behind the attack. (The Chinese government denies involvement in these attacks).
In a Cybernews article on the attacks, Tom Burt, Microsoft Corporate Vice President, explained that in this latest attack, intruders gain access to any vulnerable Microsoft Exchange Server using stolen passwords “to disguise their identity as someone who should have access.” The hackers aim to infiltrate mainly larger email exchange server systems run by IT personnel. Once inside the network, the next stage for the hackers involves accessing back-end systems and building web shells to run the exchange servers and allow extraction of information about the target companies.
What is becoming clear now is how the vulnerabilities also affect small to medium businesses running on-premises mail servers. Because Hafnium posted the vulnerabilities into hacker forums, other threat actors who like to target small to medium companies are interested and taking action as well. This expanded group of threat actors is identifiable through known malware hashes and known malicious file paths, which are a bit like signatures.
Fortunately, there are fixes that can prevent these hacks. It’s critical to watch for Microsoft’s security updates and apply them immediately. Once hackers have access to email accounts, they are installing malware to facilitate long-term access to victim environments, so diligent effort is necessary to prevent them from breaching systems in the first place.
If you are running Microsoft Exchange Server versions 2013, 2016, or 2019, you need to apply patches as soon as possible. Microsoft has written some mitigations you can perform if you can’t patch immediately. Updates for Exchange Server 2010 are ongoing. If you think your servers may be impacted, check out this comprehensive Microsoft article, which may be able to help you find suitable patches. ( Note: Exchange Online is not affected.)
The U.S Government and others seek to raise awareness of the situation, since any unpatched system is vulnerable, and malicious actors continue to take advantage of the situation. The Institute for Security and Technology has high-level non-technical advice for small and medium-sized organizations in response to the hack and other threats that could arise.
You can also hunt for signs of compromise and how to apply mitigation if you can’t patch immediately or want to check if your on-premises exchange server has been hacked. Useful ways to do this are provided by the Cyber Threat Alliance blog: Exploitation of Microsoft Exchange Vulnerabilities. Just don’t leave it too long before you act.
In other news
- Cybercriminals target brewing company. Last week we told you about cyberattacks on a video surveillance company and a Russian crime forum. Now, as proof that nothing is sacred, hackers have attacked one of the largest brewing companies in the US. Molson Coors reported an attack had affected many aspects of the company’s operations, including its brewery and shipping facilities. A local television station in Milwaukee, Wisconsin claims the company’s production has been completely shut down. According to Gizmodo, “the most obvious explanation here would be ransomware: Coors is a high-value target with a lot riding on the effective functioning of its systems.”
- Google incognito suit goes forward. A federal judge is allowing a $5 billion class-action lawsuit to go forward. As described in Search Engine Journal, the suit alleges that Google is tracking users who employ the Chrome browser’s incognito mode, in violation of wiretapping and privacy laws. Google, which has been unsuccessfully trying to quash the lawsuit since June 2020, contends that the company makes it clear that Chrome may still capture data when people use the privacy mode. Until this lawsuit is resolved, we suggest using a different browser when engaging in certain online activities that you may want to keep private.
- Google continues to crack down on bad ads. In other Google news, the company issued its 10th annual Ads Safety Report. In this report, Google notes that it “blocked or removed approximately 3.1 billion ads for violating [Google’s] policies and restricted an additional 6.4 billion ads.” These include 99 million Covid-related ads pushing false information, price gouging, fake cures, and other misleading content. They also report that they remain committed to using their policies to protect elections in the U.S., the UK, India, Israel, and other countries, as well as “demonetizing hate and violence.”
Tip of the week
Did you know many of your electronic devices are spying on you? You might suspect your cell phone is tracking your movements, or your smart speaker might be listening in on things it shouldn’t. But did you know your television, vacuum, or even your car might be sending data back to the manufacturer? Learn more about these privacy concerns as well as how you can protect yourself on our blog. And Consumer Reports offers tips on how to stop your TV from phoning home.
And check out Namecheap’s VPN service, which adds a layer of security for many online activities.
[News] Microsoft Exchange servers under attack .