The Rampage Continues
Vulnerabilities in a major player’s server architecture is an open invitation to hackers; once a group successfully exploits them, others line up behind them to try their luck. This is what’s currently happening with Microsoft. The Exchange email hack attempts continue to bother Microsoft users.
Starting in early March 2021, the Exchange server vulnerabilities got 30,000 US companies hacked. Microsoft quickly patched up the vulnerabilities, but only a minor percentage of Exchange online users have reportedly upgraded their Microsoft client applications. Moreover, the hackers have made provisions to enable backdoor entries which means despite the security patch, Exchange email hacking remains a strong possibility. Later, financial regulators in Europe were also attacked through the same medium.
Now, a US-based cyber security firm has found traces of an Exchange email hack which has affected over 500 email users in the UK. UK’s National Cyber Security Centre has stepped in and is actively putting in the efforts to get to the bottom of this email hacking case. The Norwegian government has also joined hands, and is scanning for potential victim pools.
Zero-Day Becomes Mayday
Microsoft reported that the initial Exchange email hacking attempts were carried out by a Chinese state-sponsored group called as the Hafnium group. Investigations revealed that this group is ultra-sophisticated and used infiltration techniques never seen before.
While a zero-day vulnerability can be rectified by putting in a security patch, these hackers used web shells, allowing them to return to do their snooping even after a patch is in place. A web shell is a malicious code snippet which enables illegal entry into a system despite security measures. Using web shells, the hackers can spy on a system, steal sensitive information, and also get into neighbouring systems, i.e., systems connected to the infected system through a network.
But these Exchange email hack cases have gone beyond corporate and/or national espionage and have escalated to a major crisis as thousands of organizations scattered across several domains around the world, are facing the threat of infiltration.
“As always, it is complex but it is very likely that Hafnium gifted these ‘zero days’ to government-sanctioned groups to actively use the flaws once they were rumbled,” says Jake Moore, security investigator looking into the case. “The race is now on for all of those affected to patch immediately and then painstakingly check for any recent compromises and make sure no [web shells] are installed on the servers.”
The Attacks Will Continue…
The forecast about these attacks by various security organizations is that the number and intensity of the attacks will keep growing. Moreover, the attacks will spread out into data theft, data leaks, and even ransomware. Right now, no discernible patterns have emerged as to what type of people / organizations should look out for the attacks, so it’s going to be a headache for virtually anyone using an Exchange online client.
If you are a Microsoft email user, it would be wise to do a thorough sanitization of your systems, even if you have seen no visible indications of an Exchange email hack. Now would be the right time to be proactive rather than reactive, and take concrete steps to fortify your email security. Better safe than sorry!