Microsoft Exchange exploited to hack 30,000 US organization emails

Joe White

Posts: 56   +0
Staff
What just happened? Four exploits found in Microsoft Exchange Server software have led to some 30,000 U.S. government and commercial organizations – including police departments, hospitals, and nonprofits – having their emails hacked. Microsoft rolled-out a patch to fix four zero-day exploits in Exchange Server a few days ago, but that hasn’t stopped a hacking group from taking advantage of the situation.

According to Microsoft, the vulnerabilities in Exchange Server are being targeted by a previously unknown Chinese hacking group known as “Hafnium.” In the days since Microsoft issued the patch for Exchange, the group is said to have dramatically doubled-up its efforts, targeting unpatched servers around the world and accessing the accounts of some 30,000 U.S. organizations. This is said to include local governments, banks, and credit units, as well as police departments, hospitals, and nonprofits.

Krebs on Security explains, “In each incident, the intruders have left behind a ‘web shell,’ an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.”

Although the attacks have exploded in recent days, the group has reportedly been taking advantage of the vulnerabilities since early January. In fact, the first attacks were quietly targeting users on January 6, 2021 – a day when all eyes were focused on the U.S. Capitol.

Microsoft explains that self-hosted servers running Exchange Server 2013, 2016, or 2019 are at risk and should download its security patch as a matter of urgency. If your organization uses Exchange Online, it won’t be affected.

Permalink to story.

 

Plutoisaplanet

Posts: 394   +546
So this really affects all of us... The question is which organizations that we’ve communicated with have they hacked and stolen data for and how bad was it.

The US really needs to take a hard stance on China identifying and prosecuting hackers responsible for crap like this. Really every country needs to be onboard with some sort of common hacking laws. It should be illegal and dangerous to hack for theft of trade secrets, credentials to monetary accounts, and intentional disruption of services. Maybe to prevent hacking of important services, prioritize prosecution when services/goods involved are affected with a minimum cumulative value.
 

Danny101

Posts: 1,557   +667
Whenever I set up email, it's either Pop or Imap, so I wonder how many consumers are affected. Still if you work with a company that requires being on a computer for much of the time, Exchange may be the main use. I haven't ever delved into that.
 

Squid Surprise

Posts: 3,876   +2,931
Whenever I set up email, it's either Pop or Imap, so I wonder how many consumers are affected. Still if you work with a company that requires being on a computer for much of the time, Exchange may be the main use. I haven't ever delved into that.
Exchange is a HUGELY popular email system... VAST quantities of companies use it. But those who aren't patching their systems should be criminally responsible.

There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people...
 

madboyv1

Posts: 1,668   +578
There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people...
Too bad that companies often hire such people, but leave the department with such small budgets or very short windows for even basic "routine maintenance", that it takes much longer for things to get done or worse, not done at all.

Supporting IT services in almost every company is not good for the bottom line until something goes wrong, then it's mix of panicked reactive responses and blaming the same IT services for not being ready.
 

Squid Surprise

Posts: 3,876   +2,931
Too bad that companies often hire such people, but leave the department with such small budgets or very short windows for even basic "routine maintenance", that it takes much longer for things to get done or worse, not done at all.

Supporting IT services in almost every company is not good for the bottom line until something goes wrong, then it's mix of panicked reactive responses and blaming the same IT services for not being ready.
Very true - IT people tend to be paid very well... if your budget is low, you'll get the crappy IT people... like my school board - we pay our IT people 30k per year... and we wonder why it's crummy...

But for companies RUNNING Exchange servers, this should not apply... Once you have a server up and running, keeping it up-to-date should be a matter of, at most, a few clicks (assuming your IT staff isn't knowledgeable enough to automate such things). There are simply no excuses for this.
 

madboyv1

Posts: 1,668   +578
Very true - IT people tend to be paid very well... if your budget is low, you'll get the crappy IT people... like my school board - we pay our IT people 30k per year... and we wonder why it's crummy...

But for companies RUNNING Exchange servers, this should not apply... Once you have a server up and running, keeping it up-to-date should be a matter of, at most, a few clicks (assuming your IT staff isn't knowledgeable enough to automate such things). There are simply no excuses for this.
We used to run our own exchange server and it was the wild west back then, slinging macguyver patchwork fixes since they wouldn't give us the money to upgrade hardware or software... but then we moved to Exchange Online and things have been relatively happy since then. XD
 

waclark

Posts: 25   +15
Whenever I set up email, it's either Pop or Imap, so I wonder how many consumers are affected. Still if you work with a company that requires being on a computer for much of the time, Exchange may be the main use. I haven't ever delved into that.
Most "consumers' are using hosted email systems and many of them aren't Exchange. Usually it's companies, government agencies or other organizations that are running on-prem/colo Exchange servers. Many companies have already switched to O365 (now MS365). I'd be most worried about government agencies because any agency with high-trust requirements is likely running an on-prem mail server.
 

duckofdeath

Posts: 252   +350
This is why we're bankrupting Huawei and Xiaomi, China.
Keep it up and all of your products will be blanket banned across the sensible parts of the world.
 

fps4ever

Posts: 638   +833
I spent 31 hours Thursday and Friday patching several exchange servers from these exploits. Two were compromised and cleaned up. Hackers are scum. Blaming IT services for 0 day exploits is ridiculous and ignorant beyond words. I have nothing good to say about China soooo......
 

Squid Surprise

Posts: 3,876   +2,931
I spent 31 hours Thursday and Friday patching several exchange servers from these exploits. Two were compromised and cleaned up. Hackers are scum. Blaming IT services for 0 day exploits is ridiculous and ignorant beyond words. I have nothing good to say about China soooo......
Patches were released days before... what were you doing Wednesday? And why aren’t you subscribed to get the 0day patches as soon as they’re released?!??
 

fps4ever

Posts: 638   +833
Patches were released days before... what were you doing Wednesday? And why aren’t you subscribed to get the 0day patches as soon as they’re released?!??

Getting things ready and testing the patches among the other thousand duties I have....There was also some research to do to exactly what was happening. That also includes contacting each company to set up emergency patch time schedules since it requires reboots on some along with other updates. And there are always quirks with different exchange server versions and setups. Any other dumb questions?
 
Last edited:

Darth Shiv

Posts: 2,143   +742
Exchange is a HUGELY popular email system... VAST quantities of companies use it. But those who aren't patching their systems should be criminally responsible.

There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people...
The hole was exploited actively for 2 MONTHS before a patch was released.
 

BadThad

Posts: 396   +367
China encourages these attacks in their ultimate goal of world domination and spreading communism. Trump had it right in going after China. Sadly, we now have a president that is a clueless fool and we will most certainly digress.
 

Squid Surprise

Posts: 3,876   +2,931
The hole was exploited actively for 2 MONTHS before a patch was released.
If only you'd bothered to READ my post.... here's the important part you clearly missed...
" There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people... "

Obviously, you can't blame IT for exploits BEFORE they were patched... but you certainly can AND SHOULD blame them for exploits AFTER they've been patched.
 
Last edited:

fps4ever

Posts: 638   +833
If only you'd bothered to READ my post.... here's the important part you clearly missed...
" There's a reason why companies hire IT and security people.... if anyone has been hacked since MS released patches, they should be taking a serious look at firing those people... "

Obviously, you can't blame IT for exploits BEFORE they were patched... but you certainly can AND SHOULD blame them for exploits AFTER they've been patched.

That sounds like a bean counter's excuse when IT is last on the totem pole for money, resources, personel, updated hardware, etc. to name a few...Keep digging.
 

Squid Surprise

Posts: 3,876   +2,931
That sounds like a bean counter's excuse when IT is last on the totem pole for money, resources, personel, updated hardware, etc. to name a few...Keep digging.
Assuming your IT staff is competent and not overstretched (like you seem to be), then it should be a fairly simple matter to keep your servers up to date.

If you require a week (or more) to patch something, there's something wrong... whether it's the IT person's fault - or the people who hired the IT person - is obviously dependant on numerous things I'm not present to judge...

In your case, it seems like it's the various companies who hire you are simply doing things on the cheap...

IT is kind of like a firefighter.... most of the time you don't need them and resent the money you're spending on them.... BUT.... when you DO need them, they're worth their weight in gold...
 

fps4ever

Posts: 638   +833
Assuming your IT staff is competent and not overstretched (like you seem to be), then it should be a fairly simple matter to keep your servers up to date.

If you require a week (or more) to patch something, there's something wrong... whether it's the IT person's fault - or the people who hired the IT person - is obviously dependant on numerous things I'm not present to judge...

In your case, it seems like it's the various companies who hire you are simply doing things on the cheap...

IT is kind of like a firefighter.... most of the time you don't need them and resent the money you're spending on them.... BUT.... when you DO need them, they're worth their weight in gold...

I want to live in your perfect IT world. Don't get me wrong I agree with your premise but that is not reality. We have fortune 500 companies worldwide continue to get hacked much less "cheap" companies. Be accountable for yourself and don't judge other IT departments with such a generalized statement is all I'm getting at.

Just to clarify with these specific 0 day exploits they are taking the low hanging fruit of if they actually use the default "administrator account then if targeted they could get in. Its like they teach you never to do then you are pretty safe. Most of ours do not use the default but we have to patch them all anyway. So urgent is relative...because the bean counters want MSERT scans done and reports regardless after this crap is done.
 
Last edited:

Squid Surprise

Posts: 3,876   +2,931
I want to live in your perfect IT world. Don't get me wrong I agree with your premise but that is not reality. We have fortune 500 companies worldwide continue to get hacked much less "cheap" companies. Be accountable for yourself and don't judge other IT departments with such a generalized statement is all I'm getting at.
Oh I know it isn't reality... but if people were held accountable, it might BECOME reality...

Decades ago, in Mexico, whenever a major earthquake hit, hundreds of people (or even thousands or tens of thousands) would become homeless as their shoddily built homes collapsed.... Finally Mexico passed a law that if a building collpased during an earthquake, the architect could face the death penalty...

Shockingly, building standards quickly rose....

I'm not recommending going to quite that extreme... but... if we made someone accountable, I'd wager far less servers would get hacked in the future...
 

Darth Shiv

Posts: 2,143   +742
Assuming your IT staff is competent and not overstretched (like you seem to be), then it should be a fairly simple matter to keep your servers up to date.

If you require a week (or more) to patch something, there's something wrong... whether it's the IT person's fault - or the people who hired the IT person - is obviously dependant on numerous things I'm not present to judge...

In your case, it seems like it's the various companies who hire you are simply doing things on the cheap...

IT is kind of like a firefighter.... most of the time you don't need them and resent the money you're spending on them.... BUT.... when you DO need them, they're worth their weight in gold...
The problem is Microsoft introduces, quite regularly, regressions. They do not always detail how and what patches affect. People delay patches so they can see what Microsoft ****s up when they beta test on the market.

To properly test, you would have a mirrored environment and ideally with PRODUCTION simulated load. Many companies do NOT give the resources to mirror high load services etc to do proper staged upgrades of email servers, etc for components of Microsoft software.

I can tell you over the last 10+ years the amount of downtime and security risk I have had from viruses in our office is a handful of HOURS. The downtime we have had because of virus scanners and security patches screwing things is WEEKS or MONTHS. Including completely hosing machines and stopping critical business functions working.

Those business functions had no attack vectors made vulnerable by not patching btw - the patches broke functional and secure machines for vectors that were not in our business workflows.

So it's not all black and white.
 

Squid Surprise

Posts: 3,876   +2,931
The problem is Microsoft introduces, quite regularly, regressions. They do not always detail how and what patches affect. People delay patches so they can see what Microsoft ****s up when they beta test on the market.

To properly test, you would have a mirrored environment and ideally with PRODUCTION simulated load. Many companies do NOT give the resources to mirror high load services etc to do proper staged upgrades of email servers, etc for components of Microsoft software.

I can tell you over the last 10+ years the amount of downtime and security risk I have had from viruses in our office is a handful of HOURS. The downtime we have had because of virus scanners and security patches screwing things is WEEKS or MONTHS. Including completely hosing machines and stopping critical business functions working.

Those business functions had no attack vectors made vulnerable by not patching btw - the patches broke functional and secure machines for vectors that were not in our business workflows.

So it's not all black and white.
Agreed - but... each patch tends to come with a white paper that explains what it’s for (even if it ends up fudging stuff up worse)... This latest Exchange patch did explain that it was kind of urgent... and any company with decently paid and not overwhelmed IT should have realized this was a priority to install...
 

Darth Shiv

Posts: 2,143   +742
Agreed - but... each patch tends to come with a white paper that explains what it’s for (even if it ends up fudging stuff up worse)... This latest Exchange patch did explain that it was kind of urgent... and any company with decently paid and not overwhelmed IT should have realized this was a priority to install...
For the critical stuff, everyone goes nuts in our company. Like red sirens and flurry of emails. The amount of them I've seen in say 5 years I could count on one hand. Most of the time I am the proactive one when something looks like it could affect us.

We read the advisories and anyone not paying attention to the press releases is negligent. Anyone who doesn't see the critical issues and considers if it applies to them is also negligent if their role is to maintain servers. Absolutely...

Reading the whitepapers ... I kinda feel those are more for security experts not for overwhelmed IT administrators. You really just want a paragraph summary on the issue compromise and attack vector then you can consider or ignore and move on with life (doing stuff that makes money).
 

fps4ever

Posts: 638   +833
For the critical stuff, everyone goes nuts in our company. Like red sirens and flurry of emails. The amount of them I've seen in say 5 years I could count on one hand. Most of the time I am the proactive one when something looks like it could affect us.

We read the advisories and anyone not paying attention to the press releases is negligent. Anyone who doesn't see the critical issues and considers if it applies to them is also negligent if their role is to maintain servers. Absolutely...

Reading the whitepapers ... I kinda feel those are more for security experts not for overwhelmed IT administrators. You really just want a paragraph summary on the issue compromise and attack vector then you can consider or ignore and move on with life (doing stuff that makes money).

I wonder if people realize how many critical, urgent, must read emails, notifications, etc. occur if you are subscribed to the thousands of security alerts as an admin. Now all that takes away from doing your actual duties. It is a never ending cycle of trying to keep up. Urgent and critical tend to lose their meaning, especially for MS products. Again these specific exploits target admins that used default administrator accounts so "urgent" is relative to each specific exchange server. And then you get the armchair finger pointers who complain it took you a couple extra days to get everything updated.
 

Danny101

Posts: 1,557   +667
It
I wonder if people realize how many critical, urgent, must read emails, notifications, etc. occur if you are subscribed to the thousands of security alerts as an admin. Now all that takes away from doing your actual duties. It is a never ending cycle of trying to keep up. Urgent and critical tend to lose their meaning, especially for MS products. Again these specific exploits target admins that used default administrator accounts so "urgent" is relative to each specific exchange server. And then you get the armchair finger pointers who complain it took you a couple extra days to get everything updated.
It would seem ideal that someone or a group would be given a dedicated responsibility to sort out and prioritize the updates and patches as they come, leaving other staff to implement what was approved. Even if anyone of the staff could do it all. Maybe even on a rotation. Not that I really know what all that happens in that environment. Just sort of a production allocation thing.