An aggressive hacking campaign said to have originated in China, has potentially infected tens of thousands of companies worldwide.
A state-backed threat group linked to China, exploiting four vulnerabilities in Microsoft Exchange server, has affected small and medium businesses around the world. It is suspected that someone used stolen passwords to get access to the system. Microsoft alleged that a Chinese espionage group called Hafnium launched the attacks against Exchange Server.
Microsoft on Friday warned of active attacks exploiting unpatched Exchange Server and issued a patch to protect against the flaws. On Sunday, Microsoft released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities.
Hafnium mostly targets entities in the United States aiming to steal data from researchers, higher education institutions and also from defence contractors, legal forms, policy think tanks and NGOs. More than 30,000 US firms have been compromised. Bloomberg estimated this figure to be around 60,000.
The European Banking Authority's email servers have been compromised in a global Microsoft Exchange cyber-attack, according to BBC. The EBA fears that personal data might have been accessed from its servers. The email system has gone offline and the damages are still being assessed.
The Cybersecurity and Infrastructure Security Agency (CISA) had issued an alert about the threat after they identified a threat targeting Microsoft Exchange Servers 2010, 2013, 2016 and 2019 email servers. Exchange Online has not been hit.
Firms have been advised to take the following steps to secure their data:
CISA asked users to restrict or block extranet access to internet-facing Exchange Servers. Then, install and implement patch updates released by Microsoft. Servers would be disconnected until software updates are complete. Assess servers for compromise and conduct review as needed. Copies of audit logs and forensic assessments should be maintained.
The National Security Council of the United States has asked people to take precautions. Any organisation with a vulnerable server must take immediate measures to determine if they were already targeted.
“We are undertaking a whole of government response to assess and address the impact,” wrote a White House official in an email sent on Saturday. "Everyone running these servers—government, private sector, academia—needs to act now to patch them," White House press secretary Jan Psaki said.
