Special Report: Microsoft Exchange Breach Is a 'Crazy Huge Hack' Reaching Into 30,000-Plus Organizations

Hack by Chinese APT group Hafnium could have seeded hundreds of thousands of unpatched orgs, White House warns of far-reaching consequences, Cybersecurity pros face 'Herculean' clean-up effort, more

At least 30,000 government and private industry organizations have been hacked by an unusually aggressive Chinese cyber-espionage unit that Microsoft has called Hafnium, sources told Krebs on Security. The Chinese group is focused on stealing email from victim organizations, exploiting four newly-discovered flaws in Microsoft Exchange Server email software. Microsoft issued patches for the flaw on March 2, but the concern over Hafnium’s reach centers on the large number of organizations that have not yet implemented the patches.

The hackers have further seeded hundreds of thousands of unpatched victim organizations worldwide with tools that give the attackers total remote control over affected systems. The attackers have left behind a “web shell,” an easy-to-use, password-protected hacking tool that they can access over the Internet from any browser and that can give them administrative access to the targeted machines.

The cybersecurity company that Microsoft credited with discovering the Exchange flaws, Volexity, says that the chances are high that any firm running Exchange which has not yet installed the patches is already compromised. Earlier this week, CISA issued an emergency directive ordering all federal agencies to patch their Exchange servers. Yesterday, CISA promoted new mitigations released by Microsoft for organizations that can’t immediately implement patches.

Former CISA chief Chris Krebs has been advising organizations that this widespread compromise is the real deal and a “crazy huge hack.”

Andy Greenberg confirmed Brian Krebs scoop. One researcher told Greenberg that the compromise scale is “astronomical.”

The White House has quickly responded to this latest cybersecurity crisis, coming on the heels of the massive SolarWinds’ breach widely attributed to Russia. As Reuters reported, White House press secretary Jen Psaki told reporters that the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant” and “could have far-reaching impacts.”

Meanwhile, information security incident responders across the industry are toiling long hours in coping with this massive incident.

Related: Security News | Tech TimesWIREDUS-CERT Current ActivityMSPoweruserTechNet BlogsRT USAMicrosoft Security Response CenterDark ReadingSlashdotTechTargetThe Vergeisssource.comBleeping Computer, GizmodoZDNet SecurityDataBreachToday.com, Redmond MagazineSecurity AffairsHackRead, Reddit - cybersecurity, ReutersCNN.com - PoliticsThe Hill: Cybersecurity

Photo by Jason Leung on Unsplash