Last week, Microsoft released patches to fix vulnerabilities in Exchange, a popular online business collaboration software, after it was targeted by a group of Chinese cybercriminals who, taking advantage of zero-day vulnerabilities, had hacked numerous email accounts to access the mailboxes of thousands of companies (including in Italy) and steal confidential information.
The targeted attacks gained access to the victims’ local Exchange servers, paving the way for the installation of additional malware to facilitate long-term access to the compromised environments.
Details of the cyber-attack
Around 30,000 companies and government organisations were affected and an unknown number of e-mails were put at risk, so much so that even the White House was alarmed.
These are the highlights of the attack that affected Microsoft and, consequently, its customers.
A White House spokesperson stressed: “It is essential that any organisation with a vulnerable server take immediate steps to determine whether it has already been targeted“, specifying in the statement that applying patches and updates would not solve the problems of already compromised servers.
Microsoft reportedly became aware of the vulnerabilities around 5 January by the company Devcore. In the following days, the company collected other reports from other cybersecurity companies.
However, the culprit seems to have been unquestionably identified: according to the American giant, China was behind the attack, through a team of hackers called Hafnium.
The group, which is based in Beijing but uses virtual servers around the world to divert investigations, is said to be particularly interested in company correspondence, especially military and scientific communications.
Among the most affected institutions are many institutions working on research into infectious diseases. In the last few hours, Beijing has issued a sharp denial.
Mat Gangwer, senior director ofSophos, a computer security company and an IT solution partner , states: “Attacks such as the one carried out by Hafnium must be handled with extreme care: they allow attackers to remotely execute commands on servers without the need for credentials, enabling any attacker to exploit them at will. The high prevalence of Exchange and its exposure to the Internet means that many organisations using an on-premises Exchange server are potentially at risk’.
“Attackers”, according to analyst Sophos, “are actively exploiting these vulnerabilities with a web shell technique that, if not detected and blocked in a timely manner, allows cyber criminals to execute commands remotely as long as the web shell remains active. Companies using an on-premises Exchange server should verify that patches are properly applied to Exchange devices and ensure that updates are successful. However, simply applying patches does not remove pre-patched attacks from the network. Companies therefore need technical support and intelligence that can determine if they have been affected and to what extent, and most importantly, neutralise the attack and lock the attackers out of their networks”.
The criminal network has grown
In the meantime, Microsoft has specified that other cybercriminal groups have been identifiedthat are actively exploiting the unpatched vulnerabilities. According to the MIT Technology Review (a magazine that selects and documents the most important technological innovations), there are four such groups. By exploiting security breaches, they would be able to install web shells (i.e. scripts that are uploaded to a server in order to give a hacker remote control of a machine) and consequently steal data, upload files and execute commands.
Despite the fact that the United States was heavily affected, the first organisation to publicly report an attack was the European Banking Authority (EBA), which is based in Paris and was set up to oversee the European banking market.
The EBA itself confirmed the attack, which was so serious that technicians had to take the entire e-mail system completely offline.
A spokesman for the European Banking Authority said that “the organisation is working to identify any data that the hackers may have accessed“.
The main current concern is that hackers linked to Beijing and other active groups may have been hiding in computer systems for months before anyone realised the vulnerabilities exploited and their attack. In all this time, thousands of confidential information of companies and public organisations may have been stolen, with potentially disastrous consequences.