On 2 March, Microsoft released a security emergency update for its communications applications and Microsoft Exchange mail, fixing a security bug in the 2013 versions of the software. However, with customers slowly upgrading their networks, there are signs that hackers who hacked email messages from their systems have now hit at least 30 000 US businesses, including police stations, hospitals, local government authorities, banks, credit unions, non-profit and telecommunications providers.
The Chinese state funded organization known as Hafnium has started ramping up and automating its campaign after the patch has been posted, according to Krebs on Security and Wired. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack,” Krebs told a source. A former Wired national security official said thousands of computers across the world become hacked every hour. When Microsoft announced its emergency fix, the security firm Volexity was credited with notifying it of the activities of Hafnium. Volexity President Steven Adair claims that even businesses that patched their servers on the day Microsoft released its security update are now affected.
Microsoft said that it is partnering with the US government to provide its consumers with advice. “The best protection is to apply updates as soon as possible across all impacted systems,” Microsoft told Krebs. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.” Microsoft did not respond to a request for comments immediately.
Thoughts on the Hafnium Exchange hack: (1) it’s going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days. https://t.co/bc5yutThve
— Chris Krebs (@C_C_Krebs) March 6, 2021
Any of the more high-profile attacks over the years have been a result of hackers attacking organizations slowly to upgrade their apps. Hackers stole sensitive information from Equifax on more than 147,7 million Americans by leveraging a loophole that would be corrected if the app was upgraded by the credit reporting firm. Hackers have used to attack state and regional governments systems which are also sluggish to upgrade their systems by using patched security vulnerabilities.
This is also why the White House went a long way to raising the alarm. Jake Sullivan encouraged businesses to upgrade their apps on Thursday, and Jen Psaki, Secretary of White House Press, addressed the hack at her regular press conference on Friday. Psaki said, “This is a significant vulnerability that could have far-reaching impacts”.