A security gap in the Exchange mail program enabled a gigantic hacking campaign against companies. Microsoft has closed the gap. And still have to watch how it is used by at least five groups of hackers.
Reading emails from tens of thousands of companies, banks, authorities and research institutions, and sometimes even being able to remotely control computers – that is a hacker’s dream. For Microsoft, however, the hafnium attack is developing into a nightmare. Because although Microsoft has known the loophole for months and has now closed it, the attacks simply continue. And the group has to watch largely inactive.
In view of the scale, this is dramatic: more than 60,000 companies are said to have been identified as victims, and there are estimates that even several hundred thousand attacks are assumed. And new ones are added every day: Microsoft provides patches to close the security gap, but these must first be installed manually by the respective administrators of the systems. The attackers are aware of this: At least five groups would work feverishly to infect other companies before access is denied, experts discovered.
Microsoft had known about it for months
At least part of the blame also falls on Microsoft. The company had to admit to the expert Brian Krebs that it was informed of the first attacks on January 5th. The first attack ever detected took place on January 3rd. If Microsoft had acted faster, the extent might have been less.
The IT giant would probably not have been able to completely prevent the current wave. Since all locally installed Exchange servers also have to be closed by the respective organizations, the group had little room for maneuver than to provide the patch and inform customers about the vulnerability.
Run on the gap
But that is exactly what led to a boom in attacks: if only very selected targets were initially attacked via the vulnerability, Microsoft suspects Chinese, state-supported hackers to be behind the first wave, the number of attacks exploded in the last week. “You really got started and began with mass attacks,” said security expert Steven Adair to “Bloomberg”. In doing so, they would not have chosen, as before, specifically according to industries, relevance of the victims or possible prey, “They attacked every server they could find.”
The experts cannot yet say for sure whether the same Chinese hackers were behind the second wave or whether the patch made others aware of the vulnerability. What is certain, however, is that some of the hackers have found a way to automate the attack. “If you run an Exchange server, you are likely to be affected,” said Adair. Microsoft had previously warned that simply exploiting the loophole would result in a very high risk of copycats.
Microsoft explained that the attacks did not affect all Exchange users by any means: users of the cloud solution were not vulnerable. The supposed security became a danger: Many companies operate their own Exchange servers because they do not trust the cloud solutions. Especially in cloud-skeptical Germany, the risk is particularly high, explained expert Rüdiger Trost to the “editorial network Germany”.
White House warns of “active threat”
Hafnium is an “active threat,” the White House has just confirmed. US President Joe Biden has set up his own task force for it. One of the factors that may play a role is the fact that the last major attack via the Solarwinds server software was only a few months ago The attack has long been attributed to Russian hackers, but current evidence suggests that Chinese teams also took advantage of the vulnerability.
As with solar winds, the extent of the current attack cannot be foreseen for months. The crux of the matter: Just because the patch has been applied doesn’t mean the attack is over if a back door has been successfully installed. So every company has to find out for itself whether there are traces of an infection. Until this has been discovered and rectified, further data can be extracted.
At least the search has been made easier: Microsoft lists indications of a compromise of its own system in its blog, and the group also offers a program that searches for these clues. It remains to be seen whether all infections can be found as a result.
Should Microsoft have acted differently?
Microsoft is in an uncomfortable position as a result of the attack. While the company has long made its main business with Windows, the operating system has long been overtaken by service offerings such as Office and the cloud business. Offers such as Exchange in particular are attractive to many companies: They receive the software from Microsoft, but operate the system themselves. This also means that the risk remains with them if they are responsible for correcting errors and uncovering infections.
The question of whether an earlier patch would have mitigated the severity of the attack, Microsoft leaves “The Verge” unanswered. However, it would probably not have been able to prevent the current run on the gap by hacker groups. “If we take what Microsoft has published about hafnium as a basis, it now goes beyond that. We see activities that are clearly different in tactics, technology and procedures from what has been reported so far,” said security researcher Katie Nickels. which investigates the attacks on behalf of companies, the journal “MIT Technology Review”.
“We work closely with CISA (US IT security agency), other government organizations and security companies to ensure that we can offer the best possible advice and damage limitation to our customers,” said a Microsoft spokesman in a statement by Group. “The best protection is to install the updates as soon as possible.” Affected customers are also supported via the support teams. However, the group cannot do the work for them.