A couple of days ago, Microsoft released an emergency patch aimed at fixing four zero-day vulnerabilities in Exchange Server, but that hasn’t stopped a hacker group using them. What’s more, China-backed Hafnium has launched a massive automated campaign following the release of the patch, Krebs on Security and Wired report .
In the United States alone, the group gained access to data from at least 30,000 companies using Exchange to work with mail. The victims also included the police, hospitals, local authorities, banks, non-profit organizations, telecommunications providers.
Worldwide, the number of victims reaches hundreds of thousands.
Almost everyone who maintained their own Outlook Web Access and did not install the patch a couple of days ago fell victim to a zero-day attack.
Even now, thousands of servers around the world are compromised every hour. But even those who installed the emergency patch could be victims.
Moreover, the patch fixes only Exchange Server vulnerabilities, those that have already been compromised must get rid of the hole in their systems on their own. Hafnium uses the vulnerability to host web shells on victims’ servers, giving them administrative access to steal information.
Experts are concerned that in this way hackers could establish additional paths for the subsequent exploitation of servers.
The Hafnium attack is reported to be larger than even the recent SolarWinds hack, which compromised about 18,000 organizations. According to Wired, in the current case, the attacks were aimed at small and medium-sized organizations, while SolarWinds attacked tech giants and major government agencies in the United States.
Microsoft said it is working with the cybersecurity agency, other governments and experts to provide users with more information and guidance on the next steps. However, if the scale is really that huge, then the damage has already been done and in the long term could amount to many billions of dollars.
How many companies, organizations and agencies have become victims of the hack is not yet clear. If your company uses Microsoft Exchange Server, be sure to report the potential issue to technical support.