When the news hit earlier this week, Chinese hackers actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they were exploiting could have allowed them to strike countless organizations across the globe. Now it is becoming clear that many of the mail servers they have hacked into. Clearly, the group known as Hafnium raped as many victims as they could find on the global internet, leaving behind back doors to return to later.
Hafnium has now exploited zero-day vulnerabilities in Outlook Web Access of Microsoft Exchange servers to indiscriminately compromise as many as tens of thousands of mail servers, according to sources with knowledge of the hacking campaign investigation who spoke to WIRED . The intrusions, first spotted by security firm Volexity, began as early as January 6, with a noticeable increase from last Friday and a peak at the start of the week. Hackers appear to have responded to Microsoft’s patch, released on Tuesday, by stepping up and automating their hacking campaign. A security researcher involved in the investigation who spoke to WIRED on condition of anonymity estimated the number of Exchange servers hacked to be over 30,000 in the United States alone, and hundreds of thousands globally, all of them. apparently by the same group. Freelance cybersecurity journalist Brian Krebs first reported that 30,000 digits, citing sources who briefed national security officials.
“It’s huge. Absolutely huge,” a former national security official familiar with the investigation told WIRED. “We are talking about thousands of compromised servers per hour, around the world.”
At a press conference on Friday afternoon, White House press secretary Jen Psaki warned anyone running the affected Exchange servers to immediately implement Microsoft’s patch for the vulnerabilities. “We are concerned that there are a large number of casualties and are working with our partners to understand the scope,” Psaki said in a rare case of a White House press secretary commenting on specific vulnerabilities in cybersecurity. “Network owners should also consider whether they have ever been compromised and should take the appropriate action immediately.” This White House advice echoed a tweet from Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, on Thursday night advised anyone with an exposed Exchange server to “assume a compromise” and begin incident response measures to remove hacker access.
Affected networks, which likely include those of small and medium-sized businesses more than large enterprises that tend to use cloud-based email systems, appear to have been indiscriminately hacked through automated analysis. Hackers implanted a “web shell” – a remotely accessible web backdoor fulcrum – on the Exchange servers they operated, allowing them to perform discovery on target machines and potentially move to other locations. ‘other computers on the network.
This means that only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by Chinese hackers, says Volexity founder Steven Adair. Still, any organization that doesn’t bother to remove the hacker’s backdoor remains in jeopardy, and hackers could reenter their networks to steal data or cause chaos until that web shell is removed. “A massive, massive number of organizations are gaining a foothold,” Adair says. “It’s a time bomb that can be used against them at any time.”
While the vast majority of intrusions appear to be just these web shells, the “astronomical” scale of these global compromises is particularly worrying, said a security researcher who participated in the WIRED investigation. Small to medium-sized organizations that have been compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports and prisons. “China owned the world – or at least everyone with Outlook Web Access,” the researcher said. “When was the last time someone was bold enough to strike everybody? “