Exchange gets broken.

I am in the slow process of de googling myself and getting mailservices somewhere safe. But I’m not my employers, who have both moved to Office 365. This broke email for a few days, and it looks like the digital warfare services from other nations have decided to break Exchange.

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

From Slashdot:

The White House on Sunday urged computer network operators to take further steps to gauge whether their systems were targeted amid a hack of Microsoft Corp’s Outlook email program, saying a recent software patch still left serious vulnerabilities. “This is an active threat still developing and we urge network operators to take it very seriously,” a White House official said, adding that top U.S. security officials were working to decide what next steps to take following the breach…

While Microsoft released a patch last week to shore up flaws in its email software, the remedy still leaves open a so-called back door that can allow access to compromised servers and perpetuating further attacks by others. “We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said…

The back channels for remote access can impact credit unions, town governments and small business, and have left U.S. officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency. Those affected appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers, possibly sparing many major companies and federal government agencies, records from the investigation suggest… So far, only a small percentage of infected networks have been compromised through the back door, the source previously told Reuters, but more attacks are expected.

The government is warning everyone to update their servers.

Microsoft said its email Exchange software has been infiltrated in a state-sponsored attack which the White House is now calling an “active threat”.

There are fears hundreds of thousands of public and private sector organisations worldwide have been compromised, allowing hackers to download emails.

AUT computer science professor Dave Parry said the hackers could steal valuable intellectual property or use information to blackmail people.

“It is extremely concerning, the ones that have been attacked really have been completely open, so the attackers could have taken whatever emails they like from these Exchange servers – and looked at calendar appointments, all sorts of other things.”

Professor Parry said people should download a fix immediately – although this will only work if servers were not already compromised.

He said people should also run a security check to find and delete any malicious software installed.

Professor Parry said it appeared only those who run their own Exchange servers were being affected, rather than those using cloud-based Microsoft email.

He said central government likely has good hacking protection so possibly will not have been compromised, but local councils, DHBs and medium scale businesses could all have been affected.

Professor Parry said the hack was another reminder if how insecure email could be.

Andrew Cushen from InternetNZ said it was a large, widespread attack on tools that are commonly in New Zealand and around the world.

“But that it’s been discovered gives us an opportunity to act and to manage the challenges that this presents. So if you are worried now’s the time to act.”

He said people should contact their IT specialists or go to the website of CertNZ, New Zealand’s cyber security agency, for more information.

Michael Shearer, CertNZ’s principal advisor for threats and vulnerabilities, said he wouldn’t comment on which New Zealand firms have been affected, saying that information was confidential.

The minister responsible for the GCSB, Andrew Little, said the National Cyber Security Centre has been working with its customers to pass on mitigation advice developed by Microsoft.

He said it’s a reminder to have automatic updates turned on – something home users generally do.

“The public service is aware of and appropriately managing the risks to its own networks,” Little said.

Microsoft used to use their clients as beta testers. It may be that they are now using organizations. One cannot control what corporations do, but I would use fastmail or protonmail instead.