A massive espionage spree by a state-sponsored Chinese hacking group has hit at least 30,000 victims in the United States alone. The Exchange Server vulnerabilities leveraged by the group known as Hafnium have been patched, but the trouble is far from over. Now that criminal hackers can see what Microsoft has fixed, they can reverse engineer their own exploits, opening the door for escalating attacks like ransomware on anyone who’s still exposed.
In the week since Microsoft first released its patches, the dynamic already appears to be playing out. Analysts have seen multiple groups, most still unidentified, getting in on the action in recent days, with more hackers likely still to come. The longer organizations take to patch, the more potential trouble they’ll find themselves in.
While many organizations that get email services from Microsoft use the company’s cloud offerings, others choose to run an Exchange server themselves “on premises,” meaning that they physically own and operate the email servers and manage the system. Microsoft issued patches for four vulnerabilities in its Exchange Server software last Tuesday and said in those initial warnings that the Chinese state-backed hacking group Hafnium was behind the spree. It also confirmed this week that the barrage hasn’t stopped.
“Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server,” the company said in an update on Monday.
Later that evening, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency reasserted the urgent need for vulnerable organizations to take action. “CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities,” the agency tweeted.
As bad as things are right now with Exchange exploitation, incident responders anticipate that things could get even worse without action.
“There’s an inflection point where this moves from the hands of espionage operators into the hands of criminals and potentially open source,” says John Hultquist, vice president of intelligence analysis at security firm FireEye. “That’s what we’re all holding our breath for right now, and it’s probably currently happening.”
Patches are crucial to protecting organizations, but researchers and attackers alike can also use them to study an underlying vulnerability and figure out how to exploit it. That arms race doesn’t detract from the importance of issuing fixes, but it can potentially turn targeted, espionage-driven attacks into a destructive melee.
“I suspect that people are gong to figure out how to exploit these vulnerabilities that have nothing to do with Hafnium or their friends,” said Steven Adair, CEO of security firm Volexity, which first spotted the Exchange Server hacking campaign, in an interview last week. “Cryptocurrency mining people and ransomware people are going to get into this game.”
Threat intelligence analysts at the security firms Red Canary and Binary Defense are already seeing indications that attackers are laying groundwork to run cryptominers on exposed Exchange servers.
An already tenuous situation stands to get much worse once someone publicly releases a proof-of-concept exploit, essentially providing a blueprint hacking tool that others can use. “I know some research teams are working on proof-of-concept exploits for them to be able to protect and defend their customers,” says Katie Nickels, director of intelligence at the security firm Red Canary. “The thing that everyone’s nervous about right now is if someone publishes a proof-of-concept.”
On Tuesday, researchers at the enterprise security firm Praetorian released a report about an exploit they have developed for the Exchange vulnerabilities. The firm says it made a conscious choice to leave out some key details that would allow virtually any attacker, regardless of their skill and expertise, to weaponize the tool. On Wednesday, security researcher Marcus Hutchins said that a working proof of concept has started circulating publicly.