A massive espionage spree by a state-sponsored Chinese hacking group has hit at least 30,000 victims in the United States alone. The Exchange Server vulnerabilities leveraged by the group known as Hafnium have been patched, but the trouble is far from over. Now that criminal hackers can see what Microsoft has fixed, they can reverse engineer their own exploits, opening the door for escalating attacks like ransomware on anyone who's still exposed.
In the week since Microsoft first released its patches, the dynamic already appears to be playing out. Analysts have seen multiple groups, most still unidentified, getting in on the action in recent days, with more hackers likely still to come. The longer organizations take to patch, the more potential trouble they'll find themselves in.
While many organizations that get email services from Microsoft use the company's cloud offerings, others choose to run an Exchange server themselves "on premises," meaning that they physically own and operate the email servers and manage the system. Microsoft issued patches for four vulnerabilities in its Exchange Server software last Tuesday and said in those initial warnings that the Chinese state-backed hacking group Hafnium was behind the spree. It also confirmed this week that the barrage hasn't stopped.
“Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server,” the company said in an update on Monday.
Later that evening, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency reasserted the urgent need for vulnerable organizations to take action. “CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities,” the agency tweeted.
As bad as things are right now with Exchange exploitation, incident responders anticipate that things could get even worse without action.
"There's an inflection point where this moves from the hands of espionage operators into the hands of criminals and potentially open source," says John Hultquist, vice president of intelligence analysis at security firm FireEye. "That’s what we’re all holding our breath for right now, and it’s probably currently happening."
Patches are crucial to protecting organizations, but researchers and attackers alike can also use them to study an underlying vulnerability and figure out how to exploit it. That arms race doesn't detract from the importance of issuing fixes, but it can potentially turn targeted, espionage-driven attacks into a destructive melee.
“I suspect that people are gong to figure out how to exploit these vulnerabilities that have nothing to do with Hafnium or their friends," said Steven Adair, CEO of security firm Volexity, which first spotted the Exchange Server hacking campaign, in an interview last week. "Cryptocurrency mining people and ransomware people are going to get into this game."
Threat intelligence analysts at the security firms Red Canary and Binary Defense are already seeing indications that attackers are laying groundwork to run cryptominers on exposed Exchange servers.
An already tenuous situation stands to get much worse once someone publicly releases a proof-of-concept exploit, essentially providing a blueprint hacking tool that others can use. "I know some research teams are working on proof-of-concept exploits for them to be able to protect and defend their customers," says Katie Nickels, director of intelligence at the security firm Red Canary. "The thing that everyone’s nervous about right now is if someone publishes a proof-of-concept."
On Tuesday, researchers at the enterprise security firm Praetorian released a report about an exploit they have developed for the Exchange vulnerabilities. The firm says it made a conscious choice to leave out some key details that would allow virtually any attacker, regardless of their skill and expertise, to weaponize the tool. On Wednesday, security researcher Marcus Hutchins said that a working proof of concept has started circulating publicly.
“While we have elected to refrain from releasing the full exploit, we know a complete exploit will be released by the security community shortly," the Praetorian researchers wrote on Tuesday.
The reality is that patching is a slow process for many organizations. Hackers rely on many notorious vulnerabilities that were patched years ago, but still crop up in victim networks often enough to be useful in attacks. Some companies may not have the funding or dedicated expertise to undergo major upgrades or migrate to the cloud. Plus, critical infrastructure, health care, and other sectors are sometimes unable to make major system changes or move away from legacy services at all. Red Canary's Nickels says that public scans still show more than 10,000 Exchange servers that are vulnerable to attack. She adds, though, that it's difficult to get a precise count.
“I think we’re all concerned that proofs-of-concept are being built right now,” Mandiant's Hultquist says. “They may have some security benefit, but they will also be leveraged to target many of these under-resourced organizations."
To aid organizations that can't update their Exchange servers immediately, Microsoft released additional emergency fixes on Monday for old and unsupported versions. The company is heavily emphasizing, though, that these extra patches only contain updates related to the four vulnerabilities being actively exploited and do not retroactively bring those deprecated versions of Exchange Server up to date. “This is intended only as a temporary measure to help you protect vulnerable machines right now," the Exchange team wrote. “You still need to update."
"It's a fact of life that all patches are reversed to find the exploit," says Katie Moussouris, founder of the consultancy Luta Security. Moussouris is one of the originators of Microsoft Active Protections Program, a mechanism the company uses to give trusted organizations advance warning about vulnerabilities—an attempt to get ahead of the arms race after patches go live.
As incident responders work to remediate infections caused by the Exchange server vulnerabilities and brace for a possible next wave of exploitation, they are also reflecting on the pileup of recent, high-profile, and widespread hacking campaigns. Before Microsoft Exchange Server there was SolarWinds. Before SolarWinds there was Accellion. All three are still causing ongoing pain. But while researchers emphasize that the scale and scope of these incidents are important, they hesitate to draw hasty conclusions about their larger significance.
“I think there’s some recency bias here, because we’re all living through this and we’re all kind of tired and burned out, and there’s a pandemic," Red Canary's Nickels says. "But there have been multiple massive vulnerabilities before. Anytime there’s a vulnerability in something a lot of people use, it’s really bad."
And as common criminals reverse engineer their way to wielding new versions of nation-state tools, it's only going to get worse.
Updated Wednesday March 10, 2021 at 4:45pm ET to include information that at least one proof-of-concept exploit has surfaced publicly.
- 📩 The latest on tech, science, and more: Get our newsletters!
- Adoption moved to Facebook and a war began
- Can alien smog lead us to extraterrestrial civilizations?
- Clubhouse's security and privacy lag behind its huge growth
- Alexa Skills that are actually fun and useful
- OOO: Help! I’m sneaking into my office. Is this so wrong?
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
