Microsoft Exchange Server attack hits local governments
Among the 30,000 victims of the Hafnium attack in the U.S. are a disproportionate number of local governments, security experts said.
The global Hafnium attack that is targeting email vulnerabilities in Microsoft’s Exchange Server is finding plenty of local government victims.
Microsoft announced the attack and released out-of-band security updates on March 2 to protect servers that had not yet been compromised by the zero-day vulnerabilities in its Exchange Servers' Outlook Web Access.
Exploiting the vulnerabilities, the threat actor Microsoft has named Hafnium has gained persistent system access not just to files and mailboxes on the server but also to credentials stored on that system, the Cybersecurity and Infrastructure Security Agency said in a March 3 alert. Even after systems have been patched, however, backdoors may have already been installed on email servers.
The attack is not known to have impacted Exchange Online or Microsoft 365 (formerly O365) cloud email services, CISA said.
Security expert Brian Krebs reported in his KrebsOnSecurity blog that the list of 30,000 victims in the U.S. includes a significant number of local governments.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” one source who’s working closely with federal officials told KrebsOnSecurity. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
Christopher Krebs, the former CISA director, tweeted March 5 that the attack would “disproportionately impact those that can least afford it (SMBs, Edu, States, locals).” Plus, he said, the “sheer scale & speed of this one is terrifying. It's trivial to exploit. Countdown to Ransomware?”
Steven Adair, president of Volexity, a company that spotted the attack in January, told KrebsOnSecurity he’s fielded dozens of calls from “state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help.”
Even when organizations learn they have been compromised, if they don’t remove the backdoor, they are leaving themselves open to more attacks. "A massive, massive number of organizations are getting that initial foothold," Adair told Wired. "It's a ticking time bomb that can be used against them at any point in time."
On a call with stakeholders impacted by Hafnium, another government cybersecurity expert told KrebsOnSecurity he’s concerned about remediation efforts.
“The cleanup effort required is going to be Herculean,” a government cybersecurity expert told KrebsOnSecurity. If the number of victims climbs into the tens of thousands, “there are just not enough incident response teams out there to do that quickly.”
To make matters worse, it seems that other bad actors started taking advantage of the vulnerability once Microsoft announced it.
“Four more groups have joined in, and the original Chinese hackers have dropped the pretense of stealth and increased the number of attacks they’re carrying out,” according to a report in MIT’s Technology Review.
Federal agencies, which often have vastly more depth to their cybersecurity defense, were required by CISA to immediately patch vulnerable systems or unplug them.
Meanwhile, Microsoft has released tools to help organizations identify whether they’ve been compromised and clean up their systems. Microsoft has released an updated script that scans Exchange log files for evidence of compromise, and some mitigation recommendations.