Microsoft Confident Exchange Hack Is State-Sponsored Operation

Microsoft Confident Exchange Hack Is State-Sponsored Operation

Microsoft on Monday reported that multiple malicious actors were taking advantage of vulnerabilities in the company’s Exchange software last week to attack systems at organizations that have failed to patch the flaws.

To help organizations that haven’t deployed Microsoft’s security tools, the company released the malware hashes and known malicious file paths which can be used to address the vulnerabilities manually.

Microsoft revealed on March 4 that it had detected multiple zero-day exploits being used to attack on-premise versions of its Exchange Server software. It added that in the attacks observed by the company, the threat actor used the vulnerabilities to access email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

At the same time, Microsoft released software to patch the vulnerabilities.

The company attributed the attacks “with high confidence” based on observed victimology, tactics and procedures to Hafnium, a group believed to be state-sponsored and operating out of China.

“We are working closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers,” Microsoft said in a statement provided to TechNewsWorld.

“The best protection is to apply updates as soon as possible across all impacted systems,” it continued. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Hackers Rushing In

Initially, it was estimated that 20,000 organizations were affected by the attacks, but according to Bloomberg, that number has ballooned to 60,000 and is continuing to rise. That could be because other hackers are rushing through the door opened by Hafnium.

In the days after the attacks were made public, Cynet, a New York City-based maker of an autonomous breach protection platform, discovered a number of attacks related to the Exchange vulnerabilities using a piece of malicious software called China Chopper.

That malware is a Web shell backdoor that allows threat groups to remotely access an enterprise network by abusing a client-side application to gain remote control of the compromised system.

Cynet identified four groups using China Chopper: Leviathan, Threat Group-3390, Soft Cell and APT41.

“The fact that China Chopper is a tool used by certain APT groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities,” Cynet Senior Threat Researcher Max Malyutin wrote in a company blog.

Although broad exploitation of the Exchange vulnerabilities has begun to spread and is now in the hands of criminal actors, some organizations will have more to lose than others, added John Hultquist, vice president of analysis at Mandiant Threat Intelligence.

“The cyber espionage operators who have had access to this exploit for some time aren’t likely to be interested in the vast majority of the small and medium organizations,” he said in a statement.

“Though they appear to be exploiting organizations in masses,” he continued, “this effort could allow them to select targets of the greatest intelligence value.”

Data Trove in Emails

While the exact goals of the attackers are not known at this time, experts agree the threat actors are tapping into a rich trove of data.

“Even without being able to authoritatively name all of the involved threat actors, think about what you would find in email accounts,” observed Ben Smith,
field chief technology officer, at RSA Security, a global security solutions provider.

“Intellectual property and information about individuals associated with the targeted organization are two broad categories of very sensitive data found in email,” he told TechNewsWorld.

There may not be any direct evidence of an immediate single motive, but stealing data would be the general goal, noted Purandar Das, CEO and co-founder of Sotero, a data protection company in Burlington, Mass.

“In this case, the potential outcomes may take a while to emerge,” he told TechNewsWorld. “Sensitive email content leading to strategy, financial transactions, user credentials may all be at stake.”

Matt Petrosky, vice president of customer experience at GreatHorn, a cloud email security company in Waltham, Mass. added that it is safe to say that there will be an increase in impersonation-based attacks with attackers having access to internal communications, as well as accounts receivable and payable information.

“Attackers can use that data to insert themselves via email impersonation to misdirect payments or exploit internal information,” he told TechNewsWorld.

Nation-State Attack

Nailing down the source of a cyberattack can be a dicey proposition — even if Microsoft is confident it has identified the perpetrators of the Exchange attacks — although the characteristics of the forays seem to strongly point to a nation-state.

“The scale, scope, and third-party supply-chain focus of this attack all definitely point to a level of sophistication typically seen with a nation-state attack,” Smith said.

“Anecdotally, the scale, volume and speed with which the attack has accelerated indicates a well-organized group has orchestrated the attack,” Das added.

“Those orchestration and organizational skills are the kind that a nation state could deploy,” he observed.

Karen Walsh, the principal in Allegro Solutions, a cybersecurity marketing company in West Hartford, Conn. agrees with Microsoft that not just any nation-state is behind the attacks. The indicators of compromise and the signature of the attack appears to point to China, she explained.

“Malicious actors have their favorite ways of doing something,” she said. “Just as artists have a certain style, hackers have a certain style.”

SolarWinds Reprise

As with the massive SolarWinds attack last year, the Exchange attack is targeting a third-party provider to many organizations.

“Both attacks targeted the supply chains of affected organizations,” Smith explained.

“It’s too easy to forget,” he continued, “that even if you aren’t in the widget-making business, if you are dependent on third parties to operate your business, you also have a supply chain that can be compromised.”

The attacks are similar because they both targeted a third-party platform to infect a large customer base, but they’re different, too, Das added.

“They are different in that the SolarWinds software hack was one where they penetrated the code base and installed a back door that was then leveraged to gain access to a customer’s network,” he explained.

“In the case of the Microsoft hack,” he continued, “the criminals identified a vulnerability in a production release and used that to gain access to emails.”

Petrosky maintained that the attacks are similar only in the daunting number of potential victims, even though the Exchange incident appears to be outstripping SolarWinds five to one.

“SolarWinds victims were vulnerable mainly because they trusted the SolarWinds software to update itself through a secure channel,” he said.

“The Microsoft attack is more of a classic zero-day attack,” he continued. “The initial victims may have been selectively targeted, but the sheer volume of potential victims today is because these Exchange servers are sitting accessible to Internet searches like the Shodan tool and other scripts.”



John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.

Leave a Reply

Your email address will not be published. Required fields are marked *