At the beginning of March, one of the most serious hacker attacks of recent years was discovered: it concerns Microsoft Exchange Server, the software that companies and organizations around the world use to manage emails and calendars, and the victims could be tens or more likely hundreds thousands.
The attack was carried out by hackers who, according to Microsoft, are linked to the government of China: it began in January and was discovered in March, but in many ways it has not yet ended because there are tens of thousands of servers that do not have still installed the software distributed by Microsoft to solve the problem, and therefore are still exposed to possible violations.
The Exchange is the second serious hacker attack in a few months, after the one known as SolarWinds and carried out by Russian hacking groups, which in December affected numerous companies and strategic sectors of the United States government. Even in the case of Exchange, the United States was the main target, but not the only one, and this has caused a lot of concern about the preparedness of the American government in dealing with digital threats.
What is Exchange
The hacker attack hit Exchange, which is one of the most popular software in the world for managing corporate email and calendar servers. The software allows email servers to create new email addresses for employees, manage incoming and outgoing mail, and so on. It also has a system of synchronized calendars, to let the whole company know when meetings are, for example. There are obviously many other software for email servers, but Exchange is by far the most popular, especially in the corporate environment.
Exchange is used in two ways. The first is in the cloud: emails and other data are stored on servers managed by Microsoft, and made accessible to individual companies remotely. It's the preferred method of many large companies, including Facebook, which moved all of its internal email services to Microsoft's servers a few years ago. The other way is called “on-premises”, and it means that companies have their own private servers, on which they run Exchange and on which they keep all their data.
This method is mostly used by medium and small businesses or by organizations and government offices, in part because it's cheaper: according to a post on the Lawfare website, a company of 1,000 employees can save up to $ 100,000 (just over $ 80,000). euro) per year if it manages its “on-premises” email servers.
The hacker attack
The servers affected by the hacker attack were those “on-premises”, and not those in the cloud. Hackers have used some unknown Exchange vulnerabilities (the most serious, the so-called “zero-day”, referring to the time developers have to fix them before hackers discover them) to break into servers and get them. complete control: once the vulnerabilities were exploited, the hackers could read the emails, delete them, transfer them and in general control the whole system.
Hackers could also install a “web shell” on the hacked servers, that is a program that allows access to the system to be kept open and to take control even after the vulnerabilities have been closed.
The attack was first detected on January 6 by cybersecurity firm Volexity. Microsoft experts needed a few weeks to recognize the problem and find a countermeasure, and they were prepared to release a “patch”, that is a corrective update that would have eliminated the vulnerabilities, on Tuesday 9 March: it is a standard date because everyone the second Tuesday of the month Microsoft releases security updates for Exchange (the company calls it “Patch Tuesday”).
In the first weeks of the attack, the hackers had been quite cautious: they had hacked relatively few Exchange servers, trying as much as possible to hide their tracks. But towards the end of February, as Microsoft prepared to release the patch and eliminate the vulnerabilities, the behavior of the hackers changed: perhaps warned that they would lose access to the servers, they began to attack en masse, in a a way that experts have called “reckless”, by installing “web shells” on as many servers as possible. This prompted Microsoft to anticipate the times, and to release the patch on March 2nd.
How the hackers learned that Microsoft was about to eliminate the vulnerabilities is being investigated: One possibility is that some of the cybersecurity companies that Microsoft shares information with had someone inside who warned the hackers.
The result has been that tens of thousands or perhaps even hundreds of thousands of corporate Exchange servers have been hacked and may have a “web shell” installed within them. Brian Krebs, a cybersecurity expert who was among the first to describe the attack, wrote that the victims could be 30,000 in the United States and 100,000 worldwide, and that these could include companies, local authorities, banks, hospitals, universities, police offices and so on. A source told the Wall Street Journal that the casualties could be more than 250,000.
Vulnerable Italian companies would be thousands. Among them, this week Tim Business sent a communication to its customers saying that it was a victim of the attack, and that unauthorized access was found on some servers.
Stopping an attack like the Exchange attack is extremely difficult for three reasons.
The first is that, unlike the servers on the cloud, which are directly controlled by Microsoft, the “on-premises” servers, ie those attacked, are physically located inside the companies and are managed by the IT experts of the same. This means that, to install the patch and eliminate vulnerabilities, the server manager of every single company involved must do it manually, and not all companies have the technical skills or the staff to move with the necessary efficiency and speed. As of March 12, according to Microsoft, there were still 82,000 servers worldwide that didn't have the patch installed.
The second reason is that the patches distributed by Microsoft (after the initial one there have been others) eliminate the vulnerabilities but do not eliminate any “web shell” from the already compromised servers: it means that the hackers could have maintained access even after the patch installation. Microsoft and some independent researchers have made tools available to understand if a “web shell” is installed on their servers, and possibly if there is a way to remove it, but even so the server is not secure, because it is not possible to guarantee that , using the initial “web shell”, the hackers did not install additional hidden access methods. The only way to be sure is to delete everything and reset the server from scratch.
The third reason is that the “web shell” is easy to exploit even by third parties. The hacker attack was carried out by a specific group of Chinese hackers but is easily reproducible, and in some cases other hacker groups have managed to gain access to the “web shell” installed by the Chinese, and for example to carry out “ransomware” attacks “: Hackers take control of servers, make company emails inaccessible and then demand payment of a sum of money to get the emails back.
In recent weeks there have been several cases of ransomware related to the Exchange attack, and there are at least 10 hacking groups that are taking advantage of the vulnerabilities initially used by the Chinese.
The attack is therefore particularly dangerous due to the widespread and fragmented nature of the objectives, and it is likely that it will take weeks or perhaps even months to resolve everything. Obviously, this without considering the damage already done: the emails read and stolen by hackers could contain information of economic or strategic value, which has now been lost control.
Who are the hackers
Microsoft said almost immediately that the hacker group responsible for the attack on Exchange is of Chinese origin and is “state-sponsored” , that is, related in some way to the government of China. The Chinese government has denied it.
Microsoft has named this group Hafnium: it is allegedly known and very skilled Chinese hackers, who in recent months have carried out several attacks with the intent of stealing confidential information from various organizations such as “medical research centers, law firms, universities, suppliers of the army, study centers and NGOs “. The group is very sophisticated and capable of carrying out dangerous attacks.
It is not yet clear what Hafnium's goal was in the attack on Exchange. Researchers are also undecided on how to interpret the group's behavior since late February, when it began recklessly infecting as many servers as possible, rather than focusing on a few more valuable targets.
US concerns
Since the beginning of March, the US government has shown great concern about the attack on Exchange. Shortly after the news of the attack, Jennifer Psaki, spokesperson for the White House, told reporters at the press conference: “We are concerned that there are a large number of casualties,” and added that the attack “could have an impact of long term”. Meanwhile, the National Security Council has organized a task force to deal with the issue.
The attack on Exchange follows just a few months after the equally serious one of SolarWinds, which was carried out by Russian hackers and which was another very serious blow: in that case a few very selected targets were violated (a dozen American government agencies and a hundred of companies), but government security experts found with concern that the hackers had been inside their systems for perhaps years. The attack on Exchange is very different and unrelated, but the two events have one thing in common, other than severity: the United States failed to prevent them.
According to the New York Times, the Biden administration is reviewing its approach to cybersecurity after the two attacks, and specifically intends to revise the ban, imposed since 2013 after the scandals revealed by Edward Snowden, on conducting cybersecurity activities. surveillance within American borders. This ban has been exploited in a large part of recent hacker attacks, in which technical gimmicks have been used to make the United States the origin of the attack, even if it was Russian or Chinese hackers, so as to evade the control of security agencies.
