US Issues Warning Over ‘Far-Reaching’ Microsoft Email Hack

The US presidential administration has said it is “concerned” over the potentially large number of organisations affected by four zero-day flaws in Microsoft Exchange that emerged last week.

“This is a significant vulnerability that could have far-reaching impacts,” White House press secretary Jen Psaki told journalists. “We’re concerned that there’re a large number of victims.”

The administration’s comments are the latest indication of the significance of the Exchange bugs, for which Microsoft issued emergency patches last Tuesday.

Microsoft said a Chinese state-backed hacking group called Hafnium was behind the hacks, which began in early January.

State-sponsored hack

The incident follows last year’s hack of SolarWinds’ widely used Orion IT monitoring tool.

The SolarWinds hack was also blamed on a state-backed group, Russia in this case, and also continued for several months before being detected. Microsoft said the two campaigns are unrelated.

The company said Hafnium used the flaws to gain access to Exchange servers undetected in order to steal information from infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental groups.

Dell Technologies’ Secureworks said last week the hackers began carrying out many more hacks on Sunday 28 February, possibly a sign they knew their activities were about to be discovered.

The attackers operated from leased virtual private servers in the US, researchers said.

Volexity, a security firm that reported the attacks to Microsoft, said the attacks had shifted from data theft to efforts to gain further access to organisations’ systems.

Additional exploits

“While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,” Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster said in an advisory.

“From Volexity’s perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.”

Security firm Mandiant said it had detected hacks using the flaws amongst a number of its clients, including US-based retailers, local governments, a university and an engineering firm.

It said related activity appeared to have also affected a Southeast Asian government and a Central Asian telecommunications company.

While Microsoft has patched the issues, organisations who don’t apply the fixes immediately may still risk exposure to attacks, industry watchers said.