World’s Biggest Email Server Hit With Security Flaw

In one of the largest cyberattacks in US history, over 30,000 US businesses were affected by a sweeping attack on the Microsoft Exchange email servers, one of the largest email servers in the world. The hackers were able to exploit four different zero-day vulnerabilities that allowed them to gain unauthorized access to emails from small businesses to local governments.

According to LeakedSource, FriendFinder Networks secured their passwords with the unsalted hash algorithm SHA-1 and stored user data in plaintext files. Furthermore, a white-hat hacker named Revolver revealed a Local File Inclusion (LFI) vulnerability from photos shared on social media. This was a huge security issue for the adult entertainment company because it had been hacked just one year prior, in May 2015, which compromised 3.5 million users. Despite the data breaches, AdultFriendFinder still attracts over 50 million visitors per month worldwide.

In 2014, global retailer and auction site eBay was hit with a massive data breach that stole the passwords of 145 million users. Hackers obtained access to the main network by stealing login credentials from just a few eBay employees. Luckily, financial information was stored on a separate server, so the scope of the attack was limited to:

The hack will probably stand out as one of the top cybersecurity events of the year, because Exchange is still widely used around the world. It could lead companies to spend more on security software to prevent future hacks, and to move to cloud-based email instead of running their own email servers in-house.

"We are working closely with the CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies to ensure we are providing the best possible guidance and mitigation for our customers," a Microsoft spokesperson told CNBC in an email on Monday. "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources."

But many Microsoft customers have already switched to cloud-based email, and some companies rely on Google's cloud-based Gmail, which is not affected by the Exchange Server flaws. As a result, the impact of the hacks could have been worse if they had come five or 10 years ago, and there won't necessarily be a race to the cloud as a result of Hafnium.

Reston, Va.-based Volexity first identified attacks on the flaws on Jan. 6, and officially informed Microsoft about it on Feb. 2. Volexity now says it can see attack traffic going back to Jan. 3. Microsoft credits Volexity with reporting the same two Exchange flaws as DEVCORE.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021[update], it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom,[8] as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).[9][10][11][12][13][14]

Microsoft Exchange is considered a high-value target for hackers looking to penetrate business networks, as it is email server software, and, according to Microsoft, it provides "a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance."[18] In the past, Microsoft Exchange has been attacked by multiple nation-state groups.[19][20]

On 10 March 2021, security researcher Nguyen Jang posted proof-of-concept code to Microsoft-owned GitHub on how the exploit works, totaling 169 lines of code; the program was intentionally written with errors so that while security researchers could understand how the exploit works, malicious actors would not be able to use the code to access servers. Later that day, GitHub removed the code as it "contains proof of concept code for a recently disclosed vulnerability that is being actively exploited".[24][25] On 13 March, another group independently published exploit code, with this code instead requiring minimal modification to work; the CERT Coordination Center's Will Dormann said the "exploit is completely out of the bag by now" in response.[26]

Hackers took advantage of four separate zero-day vulnerabilities to compromise Microsoft Exchange servers' Outlook Web Access (OWA),[2] giving them access to victims' entire servers and networks as well as to emails and calendar invitations,[4] only at first requiring the address of the server, which can be directly targeted or obtained by mass-scanning for vulnerable servers; the attacker then uses two exploits, the first allowing an attacker to connect to the server and falsely authenticate as a standard user. With that, a second vulnerability can then be exploited, escalating that user access to administrator privileges.[35][36] The final two exploits allow attackers to upload code to the server in any location they wish,[36] that automatically runs with these administrator privileges. Attackers then typically use this to install a web shell, providing a backdoor to the compromised server,[37] which gives hackers continued access to the server as long as both the web shell remains active and the Exchange server remains on.[29]

Through the web shell installed by attackers, commands can be run remotely. Among the actions observed are the downloading of all emails from servers, downloading the passwords and email addresses of users as Microsoft Exchange stores these unencrypted in memory, adding users, adding further backdoors to affected systems, accessing other systems in the network that are unsusceptible to the original exploit, and installing ransomware.[38] As patching the Exchange server against the exploit does not retroactively remove installed backdoors, attackers continue to have access to the server until the web shell, other backdoors and user accounts added by attackers are removed.[39]

Automatic updates are typically disabled by server administrators to avoid disruption from downtime and problems in software,[46] and are by convention installed manually by server administrators after these updates are tested with the existing software and server-setup;[47] as smaller organizations often operate under a smaller budget to do this in-house or otherwise outsource this to local IT providers without expertise in cybersecurity, this is often not done until it becomes a necessity, if ever. This means small and medium businesses, and local institutions such as schools and local governments are known to be the primary victims of the attack as they are more likely to not have received updates to patch the exploit. Rural victims are noted to be "largely on their own", as they are typically without access to IT service providers.[15] On 11 March 2021, Check Point Research revealed that in the prior 24 hours "the number of exploitation attempts on organizations it tracks tripled every two to three hours."[48][49]

The attack was discovered after attackers were discovered downloading all emails belonging to specific users on separate corporate Exchange servers.[38] An undisclosed Washington think tank reported attackers sending convincing emails to contacts in a social engineering attack that encouraged recipients to click on a link.[45] On 11 March 2021, Norway's parliament, the Storting, reported being a victim of the hack, stating that "data has been extracted."[51]

On 18 March 2021, an affiliate of ransomware cybergang REvil claimed they had stolen unencrypted data from Taiwanese hardware and electronics corporation Acer, including an undisclosed number of devices being encrypted, with cybersecurity firm Advanced Intel linking this data breach and ransomware attack to the Microsoft Exchange exploits. Advanced Intel detected one of Acer's Microsoft Exchange servers first being targeted on 5 March 2021. REvil has demanded a $50 million U.S. dollar ransom, claiming if this is paid they would "provide a decryptor, a vulnerability report, and the deletion of stolen files", and stating that the ransom would double to $100 million U.S. dollars if not paid on 28 March 2021.[55]

While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide -- so far -- there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses.

Sources have told cybersecurity expert Brian Krebs that at least 30,000 organizations in the US have been hacked. Bloomberg estimates put this figure closer to 60,000 as of March 8. Palo Alto Networks suggests there were at least 125,000 unpatched servers worldwide, as of March 9.

The deployment of web shells, such as China Chopper, on compromised Exchange servers has proved to be a common attack vector. Batch files written to servers infected with ransomware may ensure access is maintained to vulnerable systems, even after infections have been detected and removed.

It is not just in the US that governments have become directly involved. The Australian Cyber Security Centre (ACSC) is also performing scans to find vulnerable Exchange servers belonging to organizations in the country, and the UK's National Cyber Security Centre (NCSC) is also working with local entities to remove malware from infected servers.

On November 6, 2021, threat actors stole an estimated $55 million from bZx, a decentralised finance platform that allows users to borrow, loan, and speculate on cryptocurrency price varations. A bZx developer was sent a phishing email with a malicious Word document attached. Threat actors compromised the developer's mnemonic wallet phrase and emptied their personal wallet before stealing two private keys for bZx's Polygon and Binance Smart Chain (BSC) blockchains. 2b1af7f3a8