Microsoft exchange servers have been under attack in the past few days by a number of groups, including several known "state-sponsored and cyber-criminal hacking groups". They are targeting several zero-day vulnerabilities that have come to light. What I find interesting is the number of groups that all began exploiting these vulnerabilities at the same time. Additional groups have joined in on the hacking attempts, especially after Microsoft issued patches for the vulnerabilities, including ransomware organizations.
Below "the fold" is a roundup of the stories that have been submitted so far.
There's a Vexing Mystery Surrounding the 0-day Attacks on Exchange Servers
There's a vexing mystery surrounding the 0-day attacks on Exchange servers:
The Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no fewer than 10 advanced hacking groups, six of which began exploiting them before Microsoft released a patch, researchers reported Wednesday. That raises a vexing question: how did so many separate threat actors have working exploits before the security flaws became publicly known?
Researchers say that as many as 100,000 mail servers around the world have been compromised, with those for the European Banking Authority and Norwegian Parliament being disclosed in the past few days. Once attackers gain the ability to execute code on the servers, they install web shells, which are browser-based windows that provide a means for remotely issuing commands and executing code.
[...] The mystery is compounded by this: within a day of Microsoft issuing the patches, at least three more APTs joined the fray. A day later, another one was added to the mix. While it's possible that those four groups reverse-engineered the fixes, developed weaponized exploits, and deployed them at scale, those types of activities usually take time. A 24-hour window is on the short side.
There's no clear explanation for the mass exploitation by so many different groups, leaving researchers few alternatives other than to speculate.
[...] Of course, it's possible that the half-dozen APTs that exploited the vulnerabilities while they were still zero-days independently discovered the vulnerabilities and developed weaponized exploits. If that's the case, it's likely a first, and hopefully a last.
Microsoft Exchange Server Zero-Day Attacks: Malicious Software Found on 2,300 Machines in the UK
Source: Microsoft Exchange Server zero-day attacks: Malicious software found on 2,300 machines in the UK:
Any organisations that have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what's described as an 'increasing range' of hacking groups attempting to exploit unpatched networks.
The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven't had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities.
If organisations can't install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
It's also recommended that all organisations that are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.
More Hacking Groups Join Microsoft Exchange Attack Frenzy
More hacking groups join Microsoft Exchange attack frenzy:
More state-sponsored hacking groups have joined the ongoing attacks targeting tens of thousands of on-premises Exchange servers impacted by severe vulnerabilities tracked as ProxyLogon.
After Microsoft's initial report that the vulnerabilities were actively exploited by a Chinese APT group named Hafnium, Slovak internet security firm ESET shared info on at least three other Chinese-backed hacking groups abusing the ProxyLogon flaws in ongoing attacks.
Besides those three (APT27, Bronze Butler aka Tick, and Calypso), ESET also said that it also identified several "additional yet-unclassified clusters."
[...] ESET has now published a new report saying that unpatched Exchange servers are currently hunted down by "at least 10 APT groups."
On top of the previously mentioned APTs (APT27, Tick, and Calypso), ESET's new list also includes Winnti Group, Tonto Team, Mikroceen, and a newly detected threat actor dubbed Websiic.
While analyzing telemetry data, the company has also spotted ShadowPad, "Opera" Cobalt Strike, IIS backdoor, and DLTMiner activity by unknown APT groups.
Microsoft Exchange Server Hacks "Doubling" Every Two Hours
Not covered on SoylentNews yet, but sounds like a major happening. Microsoft Exchange Server hacks 'doubling' every two hours.
Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.
According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 -- and attack attempts continue to rise.
In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours."
The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.
Government, military, manufacturing, and then financial services are currently the most targeted industries.
Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.
The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
Microsoft. No Comment.
Microsoft issued emergency, out-of-band patches to tackle the security flaws -- which can be exploited for data theft and server compromise -- and has previously attributed active exploit to Chinese advanced persistent threat (APT) group Hafnium.
Original Submission #1 Original Submission #2 Original Submission #3 Original Submission #4
Related Stories
The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.
The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.
[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.
[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.
[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.
[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.
Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231
"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors
(Score: 0) by Anonymous Coward on Wednesday March 17 2021, @04:48AM (3 children)
I can' remember the last time I had to work with MS Exchange/Share-whatever-shit.
And that's a good thing.
For some reason, though, I remember having to work with NetWare and Lotus whatsit thing.
Not so good, but for some reason MS shit feels more disgusting.
(Score: 2) by DannyB on Wednesday March 17 2021, @07:17PM (2 children)
I remember once having to work with NetWare once, long ago.
I co-developed a Macintosh product called Timbuktu. A screen sharing product like VNC, but way way back in 1987. It worked on AppleTalk networks. Eventually this got us acquired by a bigger company. At this point, Novell's SPX/IPX protocol was common for PC networks, and we wanted to make Timbuktu a cross platform product. (eg, A Mac user could see s PC user's screen, and vice versa) Another protocol that was just becoming available (remember 1989 now) on Macs and PCs was TCP/IP. This was the protocol Unix workstations used. We had an intern who also ported the software to Unix (NeXT), and Apple's Unix (AUX) but we didn't see any market. On PC networks there also was NetBEUI, the butt sniffing protocol Windows machines used to find each other on the network -- but by this time we began realizing that TCP/IP was the one single protocol that every type of workstation had -- but was always second fiddle to the vendor's primary favored platform-specific protocol.
SPX/IPX protocol wasn't horrible. But Novell servers for file sharing were a bummer to set up and maintain compared to AppleShare servers. Couldn't Novell figure out how to make a file server that any non-technical person could set up? Much later, when Windows 95 came out and had (omg!) long file names (like Mac had for over a decade), it still took a while before Novell had anything but eight dot three filenames. At least in customer deployments.
Long, long before all this, in about 1983 or 84 ish, when we used UCSD p-System for cross platform development, we tried an early version of NetWare. Didn't like it. It was astonishingly difficult to set up compared to the Corvus Omninet type network we used at that time.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Wednesday March 17 2021, @11:42PM (1 child)
Corvus... wasn't that a hard drive sharing network?
(Score: 2) by DannyB on Thursday March 18 2021, @02:04PM
That is exactly what it was. It was not a 'file' server. It was a 'disk block' server. In the early days it used extremely long flat ribbon cables that looked similar to what you saw in PCs back in the days of IDE hard drive connectors. All of the workstations had access to all of the blocks on the entire hard drive. The software in every workstation, you could call it a primitive sort of device driver, sorta, would understand the "partitioning" of the drive, and which type of file system was in each partition, and allow "mounting" and correct access to only the blocks within a certain area of the drive -- over the "network" if you could call it that.
Later the flat ribbon cables were replaced by a really neat system called Omninet. This was a twisted pair network using a nice thin low cost cable. (eg, NOT coax, but more like doorbell wiring) Corvus made a network interface card or box called a "transporter". There were different models of "transporter" devices for different computers. A card for an IBM PC, or an Apple II, or Apple ///. A separate box with a dongle cord for Macintosh. Etc. All these different computers in an office could then be spread further out, more easily (and cheaply) wired up, and more conveniently. This was long before AppleTalk (eg, Localtalk), and long before Ethernet was in wide spread use on microcomputers. When Macintosh first got Ethernet, circa 1987, an Ethernet card was about $1,000 in 1987 dollars -- and it was all coax at that point. It was still a ways off before there was twisted pair ethernet, and that was expensive at first.
So Corvus Omninet was really quite something in the early 1980s. Microcomputers at this point were still astonishingly primitive by today's standards.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 3, Insightful) by canopic jug on Wednesday March 17 2021, @05:37AM (4 children)
"Zero Day" is a marketing term without any meaning remaining. Don't use it. Originally it meant attacks happening before the vendor was notified, but in this case the vendor was notfied first. Therefore, it is not a Zero-Day exploit. Regarding this most recent round of M$ Exchange cracking, exploits were prominently in the wild since no later than Jan 6th 2021 and M$ itself was notified on Jan 5th, 2021 [krebsonsecurity.com].
Even pro-M$ circles have had to admit that this time around pretty much all M$ Exchange servers have been cracked [risky.biz]. The only matter up in the air is whether those with control over the servers are just biding their time or engaged in active use of the cracked systems. What's left of the trade press and the mass media are both beholden to M$ and its partners for advertising money so they have beeb blaming everyone and everything except the guilty parties: M$ and those who deploy M$. Watch for M$ to try to spread that assertion further and to spin the whole as marketing for hosted services aka "cloud".
Instead of giving bailouts to M$ [reuters.com], what's needed is for federal agencies to lead the cleanup of finding and removing M$ Exchange and replacing it with real software. Canonical, IBM, and even small players like Zentyal need to be all over this. They aren't. And M$ is profiting economically and politically from its own failures.
Money is not free speech. Elections should not be auctions.
(Score: 1, Interesting) by Anonymous Coward on Wednesday March 17 2021, @10:01AM
Might be good idea to check the time-stamps on the original submissions, and on the ones that didn't make it, like https://soylentnews.org/submit.pl?op=viewsub&subid=47877 [soylentnews.org]
Already, it is too late.
(Score: 3, Informative) by EvilSS on Wednesday March 17 2021, @03:59PM
(Score: 3, Interesting) by DannyB on Wednesday March 17 2021, @07:23PM (1 child)
Marketing always destroys the meaning of terms that have a specific technical meaning.
My favorite was in the 1980's it was "Relational Database". Suddenly anything that was remotely a database was "relational" and was a "relational database". Product packaging, advertising and sales droids used that term constantly like a buzzword.
Likewise, Advertising destroys every medium it ever touches. Billboards. Newspaper. Magazines. Radio. TV. Cable TV. VHS. DVDs. Usenet spam. Email spam. Web advertising. YouTube. Smart TVs. Once the technology is available, they will want to put ads on the inside of your eyelids.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2) by FatPhil on Thursday March 18 2021, @02:08PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Offtopic) by Anonymous Coward on Wednesday March 17 2021, @01:38PM (4 children)
hey, i didn't know this for the longest time:
you can write a letter, put the correct stamp on the envelope and then put it IN YOUR OWN MAILBOX.
the mailman bringing new mail will open your mailbox and see a envelope with a unstamped stamp and will proceed to send it on its way ... and put in your new mail, like normal.
i think people who invented push email also didn't know this ...
(Score: 0) by Anonymous Coward on Wednesday March 17 2021, @06:19PM (1 child)
I think this used to be a common way to prove the time that an invention was disclosed. For best effect, take the letter (addressed to yourself) to the post office and make sure they hand-cancel the stamp so the date is readable. When your contested invention gets to court, open the letter in front of the judge.
Probably a number of other uses too, I will guess that lawyers liked this kind of stuff.
(Score: 2) by DannyB on Wednesday March 17 2021, @07:25PM
That kind of "proof" might only work if experts from the opposing side could examine the envelope before you open it. Everyone gets to look at the evidence.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2) by DannyB on Wednesday March 17 2021, @07:32PM (1 child)
But what if you were not receiving any incoming mail? (remember: there once was a time before the existence of the Direct Marketing Association and mass advertising mailings that crammed mailbox to overflowing.) So what to do? Well, mailboxes had these little red flags. You could raise the flag to alert the mail man* that there was outgoing mail, even if you were not receiving any mail today. Kids in a neighborhood might not realize what the flags were for, and think it an amusing passtime to go put up all the flags. (or put them down) on all mailboxes for several blocks.
*Use more inclusive language. Don't say "mail man", do say "male person".
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Thursday March 18 2021, @01:29PM
> Kids in a neighborhood might not realize what the flags were for, and think it an amusing passtime to go put up all the flags.
Kids in a neighborhood might not realize what the flags were for, and think it an amusing passtime to break them all off. And on 4th of July for good measure blow up the mailboxes with M80s (large firecracker).
ftfy. I must have lived in a tough/redneck neighborhood(?)
btw, we still pay some bills by mail (USA) and the flag on our mailbox at the end of the driveway works just fine with our mail carrier. This neighborhood is "mature", very few kids on the street.
(Score: 1, Interesting) by Anonymous Coward on Wednesday March 17 2021, @01:50PM (1 child)
This reminds me of 2003 when Blaster hit the world, and nearly every one of our Windows machines including our mail servers, share point servers, and pretty much any server of value were blasted. Nearly two decades on, and Microsoft continues to produce the same kind of wonderfully secure products.
(Score: 2) by DannyB on Wednesday March 17 2021, @07:35PM
My favorite product of that era was Ram Doubler. [amazon.com] A software product for PCs that could magically make your PC have double the amount memory!
What I never understood is why one couldn't run two copies of Ram Doubler and then have quadruple the amount of memory!
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Wednesday March 17 2021, @08:22PM (1 child)
what kind of stupid bitch uses an exchange server?
(Score: 2) by DannyB on Thursday March 18 2021, @02:07PM
Hillary Clinton.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2) by Gaaark on Wednesday March 17 2021, @08:49PM
Shoulda dropped the shiz loooong ago: this has been coming for ...how long now? And no one saw it coming? Gimme a break.
Hoping this shiz jus' keeps-a-cumming, harder and harder until all is fecked and MS goes down.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by jb on Thursday March 18 2021, @01:50AM
There, FTFY.
Why anyone would ever voluntarily use the world's least secure mail server (and one of the least reliable too!) is beyond comprehension.