The Federal Office for Information Security (BSI) warns of IT security failures based on several critical vulnerabilities in different versions of Microsoft Exchange Server. Tens of thousands of computers with mass software could be attacked in Germany alone on the basis of vulnerabilities on the Internet and a “high degree of probability already infected with malware,” as the authority demonstrates based on numbers from Shodan, an engine that specializes in the Internet of Things.
More attacks with less effort
The British Standards Institute wrote, “Organizations of all sizes are affected”. The office already has one for this A security warning has been issued. And, given the increased stakes, it has also begun to inform potentially directly affected people. On Friday, management of more than 9,000 medium-sized companies wrote to them by mail and recommended countermeasures. The agency estimates that the actual number of systems at risk in Germany is much higher.
BSI is advising all affected Exchange server operators to immediately import the security updates provided by Microsoft on Wednesday night. Currently, “closed vulnerabilities are actively exploited by a group of attackers” via remote access. “In addition, Exchange servers have high Active Directory rights by default in many infrastructures,” the office warns. It is therefore conceivable that further attacks with the rights of the captured system could “endanger the entire field with little effort”.
Small and medium businesses often have security flaws
In the case of servers that are not yet fixed, BSI assumes that the criminal hackers have already taken control of it and that they are controlling it. Due to the general availability of exploit codes for simple exploiting as well as “robust surveying activities around the world”, there is currently a very high risk of attack. So weak exchange systems should also be checked for abnormalities as a matter of urgency. The BSI case center operates around the clock Current information is available.
To make matters worse, according to the authority, thousands of systems still have known vulnerabilities for more than a year that have yet to be fixed. This is often the case with small and medium-sized businesses. In addition to gaining access to the email communications of the companies involved, attackers can often also access the entire corporate network via these vulnerable servers.
The hacker group is presumably working for the Chinese government
The US Cybersecurity and Infrastructure Security Agency (CISA) was already on Wednesday Instructed all federal agencies with emergency policyTo apply the current corrections to Exchange. This rarely used tool is justified with an unacceptable risk of inactivity, as vulnerabilities will be exploited on a large scale and thus attackers will have “permanent access to the system.”
Microsoft believes that the Hafnium group is behind the wave of attacks, which according to the group are likely to work for the Chinese government and above all to spy on US targets. The attackers had already targeted health care researchers, law firms, civil society organizations, educational institutions and defense companies.
Focus on email traffic
According to the Cancer On Security portal, there have been at least 30,000 organizations in the United States in the past few days It was compromised by an especially aggressive force of cyber espionage. These include many medium-sized companies, but also city and municipal administrations. Attackers are particularly keen on the e-mail traffic of installations.
In each incident, the report said, hackers left behind a “web shell”, an easy-to-use, password-protected hacking tool that can be accessed online from any browser with administrator rights. According to cybersecurity experts, the group has already taken control of hundreds of thousands of Exchange servers around the world.
Spies of foreign governments
According to Microsoft, the first indication of Exchange vulnerabilities came from Virginia’s IT security company Volexity. Its boss, Stephan Ader, said the company was working on dozens of instances of web shells installed on target systems on February 28, before Microsoft released updates. Even if the vulnerabilities are patched on Wednesday, there is a high chance that the hacking software is already located on a vulnerable server. After the so-called hacking of Solarwinds, the new wave of attacks represents the second case of a large-scale cyber campaign that sees the United States as foreign governments acting as spies.