Tag Archive for: hack

Everything you need to know about the Microsoft Exchange Server hack

/in


Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.



a close up of a piano keyboard

© ZDNet


While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide — so far — there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses. 

Also: Best VPNs • Best security keys  • Best antivirus

Here is everything you need to know about the security issues and our guide will be updated as the story develops. 

What happened?

Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in “early” January. 

A DEVCORE researcher, credited with finding two of the security issues, appears to have reported them around January 5. Going under the handle “Orange Tsai,” the researcher tweeted:

“Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported.”

According to Volexity, attacks using the four zero-days may have started as early as January 6, 2021. Dubex reported suspicious activity on Microsoft Exchange servers in the same month.

Loading...

Load Error

On March 2, Microsoft released patches to tackle the four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.”

Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide. 

While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches — and the number of estimated victims continues to grow. 

What are the vulnerabilities and why are they important?

The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. 

  • CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests…

Source…

Victims of Microsoft hack scramble to plug security holes

/in


Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.

The White House has called the hack an “active threat” and said senior national security officials were addressing it.

The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, health care providers and manufacturers.

While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.

“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike.

He blames China for the global wave of infections that began February 26, though other researchers say it’s too early to confidently attribute them. It’s a mystery how those hackers got wind of the initial breach because no one knew about this except a few researchers, Alperovitch said.

After the patch was released, a third wave of infections began, a piling on that typically occurs in such cases because Microsoft dominates the software market and offers a single point of attack.

Cybersecurity analysts trying to pull together a complete picture of the hack said their…

Source…

Massive Global Hack Breaches Microsoft Business Accounts

/in

The European Banking Authority became one of the latest victims as it said Sunday that access to personal data through emails held on the Microsoft server may have been compromised. Others identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a Ellicott City, Maryland-based firm that monitors the security of customers, in a blog post Friday.One U.S. cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.The rapidly escalating attack drew the concern of U.S. national security officials, in part because the hackers were able to hit so many victims so quickly. Researchers say in the final phases of the attack, the hackers appeared to have automated the process, scooping up tens of thousands of new victims around the world in a matter of days.“We are undertaking a whole of government response to assess and address the impact,” a White House official wrote in an email on Saturday. “This is an active threat still developing and we urge network operators to take it very seriously.”

Microsoft Server Flaws Raise Alarms at White House, DHS The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially targeting only a small number of victims, according to Steven Adair, head of the northern Virginia-based Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix on Tuesday.

The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC. Cybersecurity experts that defend the world’s computer systems expressed a growing sense of frustration and exhaustion.

“The good guys are getting tired,” said Charles Carmakal, a senior vice president at FireEye…

Source…

Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack

/in


A stylized skull and crossbones made out of ones and zeroes.

Tens of thousands of US-based organizations are running Microsoft Exchange servers that have been backdoored by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendaring application, it was widely reported. Microsoft issued emergency patches on Tuesday, but they do nothing to disinfect systems that are already compromised.

KrebsOnSecurity was the first to report the mass hack. Citing multiple unnamed people, reporter Brian Krebs put the number of compromised US organizations at at least 30,000. Worldwide, Krebs said there were at least 100,000 hacked organizations. Other news outlets, also citing unnamed sources, quickly followed with posts reporting the hack had hit tens of thousands of organizations in the US.

Assume compromise

“This is the real deal,” Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, said on Twitter, referring to the attacks on on-premisis Exchange, which is also known as Outlook Web Access. “If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.” His comments accompanied a Tweet on Thursday from Jake Sullivan, the White House national security advisor to President Biden.

Hafnium has company

Microsoft on Tuesday said on-premises Exchange servers were being hacked in “limited targeted attacks” by a China-based hacking group the software maker is calling Hafnium. Following Friday’s post from Brian Krebs, Microsoft updated its post to say that it was seeing “increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.”

Katie Nickels, director of intelligence at security firm Red Canary, told Ars that her team has found Exchange servers that were…

Source…