| Date | |
|---|---|
| Location | Global |
| Type | Cyberattack,data breach |
| Cause | MicrosoftExchange Serverzero-day vulnerabilities[4] |
| First reporter | Microsoft (public disclosure)[3] |
| Suspects | Hafnium,[5][6] and at least nine others.[7] |
A global wave ofcyberattacks anddata breaches began in January 2021 after fourzero-day exploits were discovered inon-premisesMicrosoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers,administrator privileges on the server, and access to connected devices on the same network. Attackers typically install abackdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021[update], it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom,[8] as well as theEuropean Banking Authority, theNorwegian Parliament, and Chile's Commission for the Financial Market (CMF).[9][10][11][12][13][14]
On 2 March 2021, Microsoft released updates forMicrosoft Exchange Server 2010, 2013, 2016 and 2019 to patch the exploit; this does not retroactively undo damage or remove any backdoors installed by attackers. Small and medium businesses, local institutions, and local governments are known to be the primary victims of the attack, as they often have smaller budgets to secure against cyber threats and typically outsourceIT services to local providers that do not have the expertise to deal with cyber attacks.[15]
On 12 March 2021, Microsoft announced the discovery of "a new family ofransomware" being deployed to servers initially infected,encrypting all files, making the server inoperable and demanding payment to reverse the damage.[16] On 22 March 2021, Microsoft announced that in 92% of Exchange servers the exploit has been either patched or mitigated.[17]
Microsoft Exchange is a widely used email server software and a frequent target for cyberattacks on business networks. According to Microsoft, its environment allows attackers to misuse built-in administrative tools or scripts for malicious purposes.[18] Microsoft Exchange has previously been targeted by nation-statethreat actors.[19][20]
On 5 January 2021, security testing company DEVCORE reported the vulnerability to Microsoft, which Microsoft confirmed on 8 January.[21] On 6 January 2021, cybersecurity company Volexity detected the first known breach of a Microsoft Exchange Server instance.[1] By late January, Volexity detected a breach that allowed attackers to access data from two of its customers and reported the vulnerability to Microsoft. Following Microsoft's notification of the breach, Volexity reported that the hackers became less discreet in anticipation of apatch.[22]
On 2 March 2021, cybersecurity companyESET reported observing multiple threat actors, in addition toHafnium, exploiting the vulnerabilities.[4] On 10 March 2021,Wired reported that following the patch, additional threat actors were likely toreverse engineer the fix to target unpatched servers. Analysts at two security firms reported observing signs that attackers were preparing to deploycryptomining software on affected servers.[23]
On 10 March 2021, security researcher Nguyen Jang postedproof-of-concept code to Microsoft-ownedGitHub demonstrating how the exploit works, consisting of 169 lines of code. The program was intentionally written with errors, allowing security researchers to understand the exploit while preventingmalicious actors from using the code to access servers. Later that day, GitHub removed the code, stating that it "contains proof-of-concept code for a recently disclosed vulnerability that is being actively exploited".[24][25] On 13 March, another group independently published exploit code, which required minimal modification to function. TheCERT Coordination Center's Will Dormann stated that the "exploit is completely out of the bag by now".[26]
The attacks came shortly after the2020 United States federal government data breach, which also involved the compromise of Microsoft's Outlook web application andsupply chain. Microsoft stated that there was no connection between the two incidents.[27]
Microsoft said that the attack was initially perpetrated by theHafnium, a Chinese state-sponsored hacking group (advanced persistent threat) that operates out of China.[5][22][6][26] Hafnium is known to install the web shellChina Chopper.[26] Microsoft identified Hafnium as "a highly skilled and sophisticated actor" that historically has mostly targeted "entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."[28] Announcing the hack, Microsoft stated that this was "the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society."[28] As of 12 March 2021, there were, in addition to Hafnium, at least nine other distinct groups exploiting the vulnerabilities, each different styles and procedures.[7][29]
The Chinese government denied involvement, calling the accusations "groundless."[22][30]
In a July 19, 2021 joint statement, theUS,UK,EU,NATO, and otherWestern nations accused theMinistry of State Security (MSS) of perpetrating the Exchange breach, along with other cyberattacks, "attributing with a high degree of confidence that malicious cyber actors affiliated withPRC’s MSS conductedcyber espionage operations utilizing thezero-day vulnerabilities inMicrosoft Exchange Server disclosed in early March 2021."[31][32][33][34]
Hackers took advantage of four separatezero-day vulnerabilities to compromise Microsoft Exchange servers'Outlook Web Access (OWA),[2] giving them access to victims' entire servers and networks as well as to emails and calendar invitations,[4] only at first requiring the address of the server, which can be directly targeted or obtained by mass-scanning for vulnerable servers; the attacker then uses two exploits, the first allowing an attacker to connect to the server and falselyauthenticate as a standard user. With that, a second vulnerability can then be exploited, escalating that user access to administratorprivileges.[35][36] The final two exploits allow attackers to upload code to the server in any location they wish,[36] that automatically runs with these administrator privileges. Attackers then typically use this to install aweb shell, providing abackdoor to the compromised server,[37] which gives hackers continued access to the server as long as both the web shell remains active and the Exchange server remains on.[29]
Through theweb shell installed by attackers, commands can be run remotely. Among the actions observed are the downloading of all emails from servers, downloading the passwords and email addresses of users as Microsoft Exchange stores these unencrypted inmemory, adding users, adding further backdoors to affected systems, accessing other systems in the network that are unsusceptible to the original exploit, and installingransomware.[38] As patching the Exchange server against the exploit does not retroactively remove installed backdoors, attackers continue to have access to the server until the web shell, other backdoors and user accounts added by attackers are removed.[39]
On 27 and 28 February 2021, there was an automated attack, and on 2 and 3 March 2021, attackers used a script to return to the addresses to drop a web shell to enable them to return later.[29] Referring to the week ending 7 March,CrowdStrike co-founderDmitri Alperovitch stated: "Every possible victim that hadn't patched by mid-to-end of last week has already been hit by at least one or several actors".[40] After the patch was announced, the tactics changed when using the same chain of vulnerabilities.[29][41]
Microsoft Exchange Server versions of 2010, 2013, 2016 and 2019 were confirmed to be susceptible, although vulnerable editions are yet to be fully determined.[42] Cloud-based services Exchange Online andOffice 365 are not affected.[43]
Hackers have exploited the vulnerabilities to spy on a wide range of targets, affecting an estimated 250,000 servers.[11][44] Tom Burt, Microsoft's vice president for Customer Security & Trust, wrote that targets had included disease researchers, law offices, universities, defense contractors,non-governmental organizations, andthink tanks.[28][9][45]
Automatic updates are typically disabled by server administrators to avoid disruption fromdowntime and problems in software,[46] and are by convention installed manually by server administrators after these updates are tested with the existing software and server-setup;[47] as smaller organizations often operate under a smaller budget to do this in-house or otherwise outsource this to local IT providers without expertise in cybersecurity, this is often not done until it becomes a necessity, if ever. This means small and medium businesses, and local institutions such as schools and local governments are known to be the primary victims of the attack as they are more likely to not have received updates topatch the exploit. Rural victims are noted to be "largely on their own", as they are typically without access to IT service providers.[15] On 11 March 2021,Check Point Research revealed that in the prior 24 hours "the number of exploitation attempts on organizations it tracks tripled every two to three hours."[48][49]
Check Point Research has observed theUnited States as being the most attacked country with 17% of all exploit attempts, followed byGermany with 6%, the United Kingdom and theNetherlands both at 5%, andRussia with 4% of all exploits;government/military is the most targeted sector with 23% of exploit attempts, followed bymanufacturing at 15%,banking andfinancial services at 14%, software vendors with 7% and healthcare at 6%.[26][50]
The attack was discovered after attackers were discovered downloading all emails belonging to specific users on separate corporate Exchange servers.[38] An undisclosedWashington think tank reported attackers sending convincing emails to contacts in asocial engineering attack that encouraged recipients to click on a link.[45] On 11 March 2021, Norway's parliament, theStorting, reported being a victim of the hack, stating that "data has been extracted."[51]
TheEuropean Banking Authority also reported that it had been targeted in the attack,[10] later stating in a press release that the scope of impact on its systems was "limited" and that "the confidentiality of the EBA systems and data has not been compromised".[52]
Security companyESET identified "at least 10"advanced persistent threat groups compromising IT, cybersecurity, energy, software development,public utility, real estate, telecommunications and engineering businesses, as well as Middle Eastern and South American governmental agencies. One APT group was identified deployingPowerShell downloaders, using affected servers for cryptocurrency mining.[7]Cybereason CEO Lior Div noted that APT group Hafnium "targeted small and medium-sized enterprises ... The assault against Microsoft Exchange is 1,000 times more devastating than theSolarWinds attack."[53]
On 12 March 2021, Microsoft Security Intelligence announced "a new family ofransomware" called DearCry being deployed to the servers that had been initially infected, encrypting device contents, making servers unusable and demanding payment to recover files.[16] Microsoft stated: "There is no guarantee that paying the ransom will give you access to your files."[54]
On 18 March 2021, an affiliate of ransomware cybergangREvil claimed they had stolen unencrypted data fromTaiwanese hardware and electronics corporationAcer, including an undisclosed number of devices being encrypted, with cybersecurity firm Advanced Intel linking this data breach and ransomware attack to the Microsoft Exchange exploits. Advanced Intel detected one of Acer's Microsoft Exchange servers first being targeted on 5 March 2021. REvil has demanded a $50 millionU.S. dollar ransom, claiming if this is paid they would "provide a decryptor, a vulnerability report, and the deletion of stolen files", and stating that the ransom would double to $100 million U.S. dollars if not paid on 28 March 2021.[55]
On 2 March 2021, theMicrosoft Security Response Center (MSRC) publicly posted an out-of-bandCommon Vulnerabilities and Exposures (CVE) release, urging its clients topatch their Exchange servers to address a number of criticalvulnerabilities.[3] On 15 March, Microsoft released a one-clickPowerShell tool, The Exchange On-Premises Mitigation Tool, which installs the specific updates protecting against the threat, runs amalware scan which also detects installed web shells, and removes threats that were detected; this is recommended as a temporary mitigation measure, as it does not install other available updates.[56]
On 3 March 2021, the U.S.Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive forcing government networks to update to a patched version of Exchange. On 8 March, CISA tweeted whatNBC News described as an "unusually candid message" urging "ALL organizations across ALL sectors" to address the vulnerabilities.[57][58]
Other official bodies expressing concerns included theWhite House,Norway's National Security Authority and the Czech Republic's Office for Cyber and Information Security.[59][60] On 7 March 2021,CNN reported that theBiden administration was expected to form a task force to address the breach;[61] the Biden administration has invited private-sector organizations to participate in the task force and will provide them with classified information as deemed necessary. U.S. National Security AdvisorJake Sullivan stated that the U.S. is not yet in a position to attribute blame for the attacks.[48]
In July 2021, the Biden administration, along with a coalition of Western allies, formally blamed China for the cyber attack. The administration highlighted the ongoing threat of from Chinese hackers, but did not accompany the condemnation with any form of sanctions. According to White House press secretaryJen Psaki, the administration is not ruling out future consequences for China.[62]