Espionage via Microsoft Exchange Server Could Eclipse SolarWinds Intrusion
It’s been reported that over 30K organizations were compromised by an “unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations” (Krebs on Security). The hack took advantage of flaws in Microsoft’s Exchange Server and targets include a “range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs”. The vulnerabilities allow attackers to establish a web shell on victim servers giving them administrative access.
There is concern that attackers are seeking to establish additional backdoors that would remain post-cleanup. “Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.”
But — as noted by the Wired article linked below — in all likelihood only a small number of victims were specifically targeted. “That means only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by the Chinese hackers, says Volexity founder Steven Adair. Nonetheless, any organization that doesn’t take pains to remove the hackers’ backdoor remains compromised, and the hackers could re-enter their networks to steal data or cause mayhem until that web shell is removed.”
This is an example of how a single serious vulnerability can be exploited quickly and potentially lead to longterm damage — especially in organizations that are not equipped to do the cleanup properly. How can we as researchers help prevent this type of overnight large scale abuse? Is moving towards zero-trust part of the answer to preventing cascading effects from vulnerabilities? How can patches be applied more effectively once vulnerabilities are identified?
