The Federal Office for Information Security (BSI) warns of an IT security fiasco based on several critical vulnerabilities in different versions of Microsoft’s Exchange server. Tens of thousands of computers with the groupware software in Germany alone can be attacked on the basis of the gaps on the Internet and “with a high degree of probability already infected with malware,” explains the authority on the basis of figures from the Shodan search engine, which specializes in the Internet of Things.
Further attacks with little effort
“Organizations of all sizes are affected,” writes the BSI. The office already has one for this Security warning issued. In view of the increased risk, according to its own information, it has also started to inform those potentially affected directly. On Friday, the management of more than 9,000 medium-sized companies wrote to them by post and recommended countermeasures. The agency estimates the actual number of vulnerable systems in Germany to be significantly higher.
The BSI advises all operators of affected Exchange servers to immediately import the security updates provided by Microsoft on Wednesday night. The vulnerabilities thus closed are currently being used “actively by an attacker group” via remote access. “In addition, Exchange servers have high rights in the Active Directory by default in many infrastructures,” warns the office. It is therefore conceivable that further attacks with the rights of a system that has been taken over can potentially “compromise the entire domain with little effort”.
Small and medium-sized businesses often have security gaps
In the case of servers that have not yet been patched, the BSI assumes that these have already been taken over by the criminal hackers and are controlled by them. Due to the public availability of exploit codes for simple exploitation of the vulnerabilities as well as “strong worldwide scanning activities” there is currently a very high risk of attack. Vulnerable Exchange systems should therefore also be checked for abnormalities as a matter of urgency. The BSI situation center is on duty around the clock current information is available.
To make matters worse, according to the authority, that thousands of systems still have gaps that have been known for over a year and have not yet been patched. This is often the case with small and medium-sized companies. In addition to access to the e-mail communication of the companies concerned, attackers can often also gain access to the entire company network via such vulnerable servers.
Hacker group presumably works for Chinese government
The US Cybersecurity and Infrastructure Security Agency (CISA) had already on Wednesday instructed all federal agencies with an emergency policyto apply the current patches for Exchange. She justifies the use of this rarely used instrument with an unacceptable risk of inactivity, since the vulnerabilities would be exploited on a large scale and the attackers would thus gain “permanent system access”.
Microsoft sees the hacking group Hafnium behind the wave of attacks, which, according to the group, “has a high probability” working for the Chinese government and primarily spying on US targets. The attackers had already targeted health care researchers, law firms, civil society organizations, educational institutions and defense companies.
Focus on email traffic
According to the Cancer On Security portal, at least 30,000 organizations have been in the US in the past few days was hacked by the particularly aggressive cyber espionage force. These include many medium-sized companies, but also city and municipal administrations. The attackers are particularly keen on the facilities’ e-mail traffic.
In every incident, the intruders reportedly left a “web shell”, an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser with administrator rights. According to cybersecurity experts, the group has already taken control of hundreds of thousands of Exchange servers worldwide.
Foreign government spies
According to Microsoft, the first indication of the Exchange vulnerabilities came from the Virginia IT security company Volexity. Its boss, Stevan Adair, said the company was working on dozens of cases in which web shells were installed on target systems on February 28, before the updates were released by Microsoft. Even if the holes were patched on Wednesday, there is a high probability that the hacker software is already on a vulnerable server. After the so-called Solarwinds hack, the new wave of attacks marks the second case of a large-scale cyber campaign behind which the US sees spies of foreign governments at work.