Microsoft Exchange exploited to hack 30,000 US organization emails

Joe White

Joe White

Posts: 69   +0
What just happened? Four exploits found in Microsoft Exchange Server software have led to some 30,000 U.S. government and commercial organizations – including police departments, hospitals, and nonprofits – having their emails hacked. Microsoft rolled-out a patch to fix four zero-day exploits in Exchange Server a few days ago, but that hasn’t stopped a hacking group from taking advantage of the situation.

According to Microsoft, the vulnerabilities in Exchange Server are being targeted by a previously unknown Chinese hacking group known as “Hafnium.” In the days since Microsoft issued the patch for Exchange, the group is said to have dramatically doubled-up its efforts, targeting unpatched servers around the world and accessing the accounts of some 30,000 U.S. organizations. This is said to include local governments, banks, and credit units, as well as police departments, hospitals, and nonprofits.

Krebs on Security explains, “In each incident, the intruders have left behind a ‘web shell,’ an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.”

Although the attacks have exploded in recent days, the group has reportedly been taking advantage of the vulnerabilities since early January. In fact, the first attacks were quietly targeting users on January 6, 2021 – a day when all eyes were focused on the U.S. Capitol.

Microsoft explains that self-hosted servers running Exchange Server 2013, 2016, or 2019 are at risk and should download its security patch as a matter of urgency. If your organization uses Exchange Online, it won’t be affected.

Permalink to story.

https://www.techspot.com/news/88844-microsoft-exchange-exploited-hack-30000-us-organization-emails.html

 
So this really affects all of us... The question is which organizations that we’ve communicated with have they hacked and stolen data for and how bad was it.

The US really needs to take a hard stance on China identifying and prosecuting hackers responsible for crap like this. Really every country needs to be onboard with some sort of common hacking laws. It should be illegal and dangerous to hack for theft of trade secrets, credentials to monetary accounts, and intentional disruption of services. Maybe to prevent hacking of important services, prioritize prosecution when services/goods involved are affected with a minimum cumulative value.
 
  • Like
Reactions: terzaerian, stewi0001, sdms96825 and 2 others
Whenever I set up email, it's either Pop or Imap, so I wonder how many consumers are affected. Still if you work with a company that requires being on a computer for much of the time, Exchange may be the main use. I haven't ever delved into that.
 
Danny101 said:
Whenever I set up email, it's either Pop or Imap, so I wonder how many consumers are affected. Still if you work with a company that requires being on a computer for much of the time, Exchange may be the main use. I haven't ever delved into that.
Click to expand...
Exchange is a HUGELY popular email system... VAST quantities of companies use it. But those who aren't patching their systems should be criminally responsible.

There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people...
 
  • Like
Reactions: duckofdeath and Danny101
Squid Surprise said:
There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people...
Click to expand...
Too bad that companies often hire such people, but leave the department with such small budgets or very short windows for even basic "routine maintenance", that it takes much longer for things to get done or worse, not done at all.

Supporting IT services in almost every company is not good for the bottom line until something goes wrong, then it's mix of panicked reactive responses and blaming the same IT services for not being ready.
 
  • Like
Reactions: sdms96825 and 0dium
madboyv1 said:
Too bad that companies often hire such people, but leave the department with such small budgets or very short windows for even basic "routine maintenance", that it takes much longer for things to get done or worse, not done at all.

Supporting IT services in almost every company is not good for the bottom line until something goes wrong, then it's mix of panicked reactive responses and blaming the same IT services for not being ready.
Click to expand...
Very true - IT people tend to be paid very well... if your budget is low, you'll get the crappy IT people... like my school board - we pay our IT people 30k per year... and we wonder why it's crummy...

But for companies RUNNING Exchange servers, this should not apply... Once you have a server up and running, keeping it up-to-date should be a matter of, at most, a few clicks (assuming your IT staff isn't knowledgeable enough to automate such things). There are simply no excuses for this.
 
  • Like
Reactions: DelJo63 and BadThad
Squid Surprise said:
Very true - IT people tend to be paid very well... if your budget is low, you'll get the crappy IT people... like my school board - we pay our IT people 30k per year... and we wonder why it's crummy...

But for companies RUNNING Exchange servers, this should not apply... Once you have a server up and running, keeping it up-to-date should be a matter of, at most, a few clicks (assuming your IT staff isn't knowledgeable enough to automate such things). There are simply no excuses for this.
Click to expand...
We used to run our own exchange server and it was the wild west back then, slinging macguyver patchwork fixes since they wouldn't give us the money to upgrade hardware or software... but then we moved to Exchange Online and things have been relatively happy since then. XD
 
  • Like
Reactions: SG736F6
Danny101 said:
Whenever I set up email, it's either Pop or Imap, so I wonder how many consumers are affected. Still if you work with a company that requires being on a computer for much of the time, Exchange may be the main use. I haven't ever delved into that.
Click to expand...
Most "consumers' are using hosted email systems and many of them aren't Exchange. Usually it's companies, government agencies or other organizations that are running on-prem/colo Exchange servers. Many companies have already switched to O365 (now MS365). I'd be most worried about government agencies because any agency with high-trust requirements is likely running an on-prem mail server.
 
This is why we're bankrupting Huawei and Xiaomi, China.
Keep it up and all of your products will be blanket banned across the sensible parts of the world.
 
I spent 31 hours Thursday and Friday patching several exchange servers from these exploits. Two were compromised and cleaned up. Hackers are scum. Blaming IT services for 0 day exploits is ridiculous and ignorant beyond words. I have nothing good to say about China soooo......
 
  • Like
Reactions: Joey Rakas, BadThad and stewi0001
fps4ever said:
I spent 31 hours Thursday and Friday patching several exchange servers from these exploits. Two were compromised and cleaned up. Hackers are scum. Blaming IT services for 0 day exploits is ridiculous and ignorant beyond words. I have nothing good to say about China soooo......
Click to expand...
Patches were released days before... what were you doing Wednesday? And why aren’t you subscribed to get the 0day patches as soon as they’re released?!??
 
Squid Surprise said:
Patches were released days before... what were you doing Wednesday? And why aren’t you subscribed to get the 0day patches as soon as they’re released?!??
Click to expand...

Getting things ready and testing the patches among the other thousand duties I have....There was also some research to do to exactly what was happening. That also includes contacting each company to set up emergency patch time schedules since it requires reboots on some along with other updates. And there are always quirks with different exchange server versions and setups. Any other dumb questions?
 
Last edited:
  • Like
Reactions: BadThad, stewi0001 and madboyv1
Squid Surprise said:
Exchange is a HUGELY popular email system... VAST quantities of companies use it. But those who aren't patching their systems should be criminally responsible.

There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people...
Click to expand...
The hole was exploited actively for 2 MONTHS before a patch was released.
 
China encourages these attacks in their ultimate goal of world domination and spreading communism. Trump had it right in going after China. Sadly, we now have a president that is a clueless fool and we will most certainly digress.
 
  • Like
Reactions: fps4ever
Darth Shiv said:
The hole was exploited actively for 2 MONTHS before a patch was released.
Click to expand...
If only you'd bothered to READ my post.... here's the important part you clearly missed...
" There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people... "

Obviously, you can't blame IT for exploits BEFORE they were patched... but you certainly can AND SHOULD blame them for exploits AFTER they've been patched.
 
Last edited:
Squid Surprise said:
If only you'd bothered to READ my post.... here's the important part you clearly missed...
" There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people... "

Obviously, you can't blame IT for exploits BEFORE they were patched... but you certainly can AND SHOULD blame them for exploits AFTER they've been patched.
Click to expand...

That sounds like a bean counter's excuse when IT is last on the totem pole for money, resources, personel, updated hardware, etc. to name a few...Keep digging.
 
fps4ever said:
That sounds like a bean counter's excuse when IT is last on the totem pole for money, resources, personel, updated hardware, etc. to name a few...Keep digging.
Click to expand...
Assuming your IT staff is competent and not overstretched (like you seem to be), then it should be a fairly simple matter to keep your servers up to date.

If you require a week (or more) to patch something, there's something wrong... whether it's the IT person's fault - or the people who hired the IT person - is obviously dependant on numerous things I'm not present to judge...

In your case, it seems like it's the various companies who hire you are simply doing things on the cheap...

IT is kind of like a firefighter.... most of the time you don't need them and resent the money you're spending on them.... BUT.... when you DO need them, they're worth their weight in gold...
 
Squid Surprise said:
Assuming your IT staff is competent and not overstretched (like you seem to be), then it should be a fairly simple matter to keep your servers up to date.

If you require a week (or more) to patch something, there's something wrong... whether it's the IT person's fault - or the people who hired the IT person - is obviously dependant on numerous things I'm not present to judge...

In your case, it seems like it's the various companies who hire you are simply doing things on the cheap...

IT is kind of like a firefighter.... most of the time you don't need them and resent the money you're spending on them.... BUT.... when you DO need them, they're worth their weight in gold...
Click to expand...

I want to live in your perfect IT world. Don't get me wrong I agree with your premise but that is not reality. We have fortune 500 companies worldwide continue to get hacked much less "cheap" companies. Be accountable for yourself and don't judge other IT departments with such a generalized statement is all I'm getting at.

Just to clarify with these specific 0 day exploits they are taking the low hanging fruit of if they actually use the default "administrator account then if targeted they could get in. Its like they teach you never to do then you are pretty safe. Most of ours do not use the default but we have to patch them all anyway. So urgent is relative...because the bean counters want MSERT scans done and reports regardless after this crap is done.
 
Last edited:
fps4ever said:
I want to live in your perfect IT world. Don't get me wrong I agree with your premise but that is not reality. We have fortune 500 companies worldwide continue to get hacked much less "cheap" companies. Be accountable for yourself and don't judge other IT departments with such a generalized statement is all I'm getting at.
Click to expand...
Oh I know it isn't reality... but if people were held accountable, it might BECOME reality...

Decades ago, in Mexico, whenever a major earthquake hit, hundreds of people (or even thousands or tens of thousands) would become homeless as their shoddily built homes collapsed.... Finally Mexico passed a law that if a building collpased during an earthquake, the architect could face the death penalty...

Shockingly, building standards quickly rose....

I'm not recommending going to quite that extreme... but... if we made someone accountable, I'd wager far less servers would get hacked in the future...
 
Squid Surprise said:
Assuming your IT staff is competent and not overstretched (like you seem to be), then it should be a fairly simple matter to keep your servers up to date.

If you require a week (or more) to patch something, there's something wrong... whether it's the IT person's fault - or the people who hired the IT person - is obviously dependant on numerous things I'm not present to judge...

In your case, it seems like it's the various companies who hire you are simply doing things on the cheap...

IT is kind of like a firefighter.... most of the time you don't need them and resent the money you're spending on them.... BUT.... when you DO need them, they're worth their weight in gold...
Click to expand...
The problem is Microsoft introduces, quite regularly, regressions. They do not always detail how and what patches affect. People delay patches so they can see what Microsoft ****s up when they beta test on the market.

To properly test, you would have a mirrored environment and ideally with PRODUCTION simulated load. Many companies do NOT give the resources to mirror high load services etc to do proper staged upgrades of email servers, etc for components of Microsoft software.

I can tell you over the last 10+ years the amount of downtime and security risk I have had from viruses in our office is a handful of HOURS. The downtime we have had because of virus scanners and security patches screwing things is WEEKS or MONTHS. Including completely hosing machines and stopping critical business functions working.

Those business functions had no attack vectors made vulnerable by not patching btw - the patches broke functional and secure machines for vectors that were not in our business workflows.

So it's not all black and white.
 
Darth Shiv said:
The problem is Microsoft introduces, quite regularly, regressions. They do not always detail how and what patches affect. People delay patches so they can see what Microsoft ****s up when they beta test on the market.

To properly test, you would have a mirrored environment and ideally with PRODUCTION simulated load. Many companies do NOT give the resources to mirror high load services etc to do proper staged upgrades of email servers, etc for components of Microsoft software.

I can tell you over the last 10+ years the amount of downtime and security risk I have had from viruses in our office is a handful of HOURS. The downtime we have had because of virus scanners and security patches screwing things is WEEKS or MONTHS. Including completely hosing machines and stopping critical business functions working.

Those business functions had no attack vectors made vulnerable by not patching btw - the patches broke functional and secure machines for vectors that were not in our business workflows.

So it's not all black and white.
Click to expand...
Agreed - but... each patch tends to come with a white paper that explains what it’s for (even if it ends up fudging stuff up worse)... This latest Exchange patch did explain that it was kind of urgent... and any company with decently paid and not overwhelmed IT should have realized this was a priority to install...
 
Squid Surprise said:
Agreed - but... each patch tends to come with a white paper that explains what it’s for (even if it ends up fudging stuff up worse)... This latest Exchange patch did explain that it was kind of urgent... and any company with decently paid and not overwhelmed IT should have realized this was a priority to install...
Click to expand...
For the critical stuff, everyone goes nuts in our company. Like red sirens and flurry of emails. The amount of them I've seen in say 5 years I could count on one hand. Most of the time I am the proactive one when something looks like it could affect us.

We read the advisories and anyone not paying attention to the press releases is negligent. Anyone who doesn't see the critical issues and considers if it applies to them is also negligent if their role is to maintain servers. Absolutely...

Reading the whitepapers ... I kinda feel those are more for security experts not for overwhelmed IT administrators. You really just want a paragraph summary on the issue compromise and attack vector then you can consider or ignore and move on with life (doing stuff that makes money).
 
  • Like
Reactions: Squid Surprise
Darth Shiv said:
For the critical stuff, everyone goes nuts in our company. Like red sirens and flurry of emails. The amount of them I've seen in say 5 years I could count on one hand. Most of the time I am the proactive one when something looks like it could affect us.

We read the advisories and anyone not paying attention to the press releases is negligent. Anyone who doesn't see the critical issues and considers if it applies to them is also negligent if their role is to maintain servers. Absolutely...

Reading the whitepapers ... I kinda feel those are more for security experts not for overwhelmed IT administrators. You really just want a paragraph summary on the issue compromise and attack vector then you can consider or ignore and move on with life (doing stuff that makes money).
Click to expand...

I wonder if people realize how many critical, urgent, must read emails, notifications, etc. occur if you are subscribed to the thousands of security alerts as an admin. Now all that takes away from doing your actual duties. It is a never ending cycle of trying to keep up. Urgent and critical tend to lose their meaning, especially for MS products. Again these specific exploits target admins that used default administrator accounts so "urgent" is relative to each specific exchange server. And then you get the armchair finger pointers who complain it took you a couple extra days to get everything updated.
 
  • Like
Reactions: Darth Shiv
It
fps4ever said:
I wonder if people realize how many critical, urgent, must read emails, notifications, etc. occur if you are subscribed to the thousands of security alerts as an admin. Now all that takes away from doing your actual duties. It is a never ending cycle of trying to keep up. Urgent and critical tend to lose their meaning, especially for MS products. Again these specific exploits target admins that used default administrator accounts so "urgent" is relative to each specific exchange server. And then you get the armchair finger pointers who complain it took you a couple extra days to get everything updated.
Click to expand...
It would seem ideal that someone or a group would be given a dedicated responsibility to sort out and prioritize the updates and patches as they come, leaving other staff to implement what was approved. Even if anyone of the staff could do it all. Maybe even on a rotation. Not that I really know what all that happens in that environment. Just sort of a production allocation thing.
 
You must log in or register to reply here.

Similar threads

midian182
Government review criticizes Microsoft for security lapses in "preventable" Exchange hack
Replies
0
Views
96
midian182
midian182
A
Mozilla developers are working on Microsoft Exchange support in Thunderbird
Replies
3
Views
169
Puiu
Puiu
Shawn Knight
Bitcoin surpasses $69K to hit new record, eclipsing 2021 peak and overcoming 2022 crypto...
Replies
16
Views
261
Crabjuice
C

Latest posts

Back