The emergency security patch Microsoft rolled out a few days ago to fix four zero-day flaws in Exchange Server didn't deter the hacking group that's been exploiting them. In fact, according to Krebs on Security and Wired, the the Chinese state-sponsored group dubbed Hafnium ramped up and automated its campaign after the patch was released. In the US, the group infiltrated at least 30,000 organizations using Exchange to process email, including police departments, hospitals, local governments, banks, credit unions, non—profits and telecommunications providers. Worldwide, the number of victims is reportedly in the hundreds of thousands.
"Just about everyone who's running self-hosted Outlook Web Access and wasn't patched as of a few days ago got hit with a zero-day attack," a source told Krebs. A former national security official Wired talked to said thousands of servers are getting compromised per hour around the world. When Microsoft announced its emergency patch, it credited security firm Volexity for notifying it about Hafnium's activities. Volexity president Steven Adair now said that even organizations that patched their servers on the day Microsoft's security update was released may have still been compromised.
Further, the patch will only fix the Exchange Server vulnerabilities — those already compromised will still have to remove the backdoor the group planted in their systems. Hafnium is exploiting the flaws to plant "web shells" in their victims' servers, giving them administrative access that they can use to steal information. According to Krebs, Adair and other security experts are worried about the possibility of the intruders installing additional backdoors as the victims work to remove the ones already in place.
Microsoft clarified from the start that these exploits have nothing to do with SolarWinds. That said, Hafnium's activities' may dwarf the SolarWinds attacks when it comes to the number of victims. Authorities believe around 18,000 entities were affected by the SolarWinds' breach, since that was the number of customers that downloaded the software's malicious update. As Wired notes, though, Hafnium's activities focus on small and medium organizations, where the SolarWinds hackers infiltrated tech giants and large US government agencies.
When asked about the situation, Microsoft told Krebs that it's working closely with the US Cybersecurity & Infrastructure Security Agency, along with other government agencies and security companies, to provide its customers "additional investigation and mitigation guidance."
So what do you do now? (1) patch (if you haven't already), (2) assume you're owned, look for activity, (3) if you aren't capable of hunting or can't find a team to help, disconnect & rebuild, (4) move to the cloud, (5) pour one out for IR teams, they've had a rough year(s?).— Chris Krebs (@C_C_Krebs) March 6, 2021