Four Microsoft vulnerabilities that have recently become known have apparently been exploited across the board. The tech magazine Wired reported on Saturday that tens of thousands of corporate, government and educational e-mail servers had been hacked in the United States. On Friday, the Federal Office for Information Security (BSI) asked thousands of German companies to quickly plug the gap.
A security update has been available for the vulnerabilities since last Wednesday. However, experience shows that it takes a while until updates are installed by all the companies concerned. A so-called patch, i.e. the correction of the error, can even make a critical gap even more dangerous at times: If attackers know that a gap may soon be closed, they often intensify their efforts in order to access as much data as possible.
That seems to have happened in this case. On February 26, the attackers apparently began to automatically build back doors into vulnerable Microsoft Exchange servers, attacking thousands of servers an hour. The update from Microsoft only came on March 3rd. Exchange is used as an email platform by many companies, government agencies and educational institutions.
According to the security company Huntress, banks, energy service providers, old people’s homes and an ice cream manufacturer are among the victims that have become known in the USA. Huntress analyzed the attacks. The European Banking Authority (EBA) also announced on Sunday that unauthorized persons may have had access to e-mails. There are likely to be thousands of victims in Germany too, says Mark Sobol, who is responsible for the security division of the German IT company SVA. At the moment it looks like 70 to 80 percent of his customers have the back door in the system. “I assume that it is the same for all German IT security companies.”
His company is simply overwhelmed by the amount of inquiries right now. There are not enough staff available for proper forensic analysis. Normally a team would be sent out to check exactly which components are affected and how. This is currently impossible because there are too many victims and too few employees. SVA recommends using the scripts provided by Microsoft or other analysis tools to check whether companies have been compromised. Companies that had not specially secured their Exchange servers could, in principle, assume that they were affected, says Sobol.
A group of Chinese state hackers is believed to be behind the attack
As a first step, he advises companies to reset all user passwords. In order to be really sure, however, further, much more complex steps would have to follow. The hackers were able to extract extensive data from a company with the help of the gap. Therefore, as a precaution, companies should also make a corresponding report to the responsible data protection authority in order to make sure not to miss the applicable deadlines, says Sobol.
According to Microsoft, the attackers are in all likelihood a group of Chinese state hackers that the company calls “Hafnium”. Originally, they were primarily looking for information in the United States. Targets were, among other things, universities, law firms and companies with defense contracts.
According to Microsoft, the 2013, 2016 and 2019 Exchange server versions are affected. The vulnerabilities do not exist in the cloud versions of Microsoft’s e-mail service.