The breadth of the exploitation adds to the urgency of the
warnings being issued by authorities in the United States and Europe about the
weaknesses found in Microsoft's Exchange software.
The security holes in the widely used mail and calendaring
solution leave the door open to industrial-scale cyber espionage, allowing
malicious actors to steal emails virtually at will from vulnerable servers or
move elsewhere in the network. Tens of thousands of organizations have already
been compromised, Reuters reported last week, and new victims are being made
public daily.
Earlier on Wednesday, for example, Norway's parliament
announced data had been "extracted" in a breach linked to the
Microsoft flaws. Germany's cybersecurity watchdog agency also said on Wednesday
two federal authorities had been affected by the hack, although it declined to
identify them.
While Microsoft has issued fixes, the sluggish pace of many
customers' updates - which experts attribute in part to the complexity of
Exchange's architecture - means the field remains at least partially open to
hackers of all stripes. The patches do not remove any back door access that has
already been left on the machines.
In addition, some of the back doors left on compromised
machines have passwords that are easily guessed, so that newcomers can take
them over.
Microsoft declined comment on the pace of customers'
updates. In previous announcements pertaining to the flaws, the company has
emphasized the importance of "patching all affected systems immediately."
Although the hacking has appeared to be focused on cyber
espionage, experts are concerned about the prospect of ransom-seeking
cybercriminals taking advantage of the flaws because it could lead to
widespread disruption.
ESET's blog post said there were already signs of
cybercriminal exploitation, with one group that specializes in stealing
computer resources to mine cryptocurrency breaking in to previously vulnerable
Exchange servers to spread its malicious software.
ESET named nine other espionage-focused groups it said were
taking advantage of the flaws to break in to targeted networks - several of
which other researchers have tied to China. Microsoft has blamed the hack on
China. The Chinese government denies any role.
Intriguingly, several of the groups appeared to know about
the vulnerability before it was announced by Microsoft on March 2.
Ben Read, a director with cybersecurity company FireEye Inc
, said he could not confirm the exact details in the ESET post but said his
company had also seen "multiple likely-China groups" using the
Microsoft flaws in different waves.
ESET researcher Matthieu Faou said in an email it was
"very uncommon" for so many different cyber espionage groups to have
access to the same information before it is made public.
He speculated that either the information "somehow
leaked" ahead of the Microsoft announcement or it was found by a third
party that supplies vulnerability information to cyber spies.
Taiwan-based researchers reported to Microsoft on Jan. 5
that they had found two new flaws which need patching. Those two were among
those that began being used by the attackers shortly before or after the
friendly report.
They said were investigating whether there had been a theft
or leak on their side, since exploitation was discovered in the wild the same
week later. So far, the group called Devcore said, they had found no evidence.
Top-flight hackers are also commonly targeted by other
hackers. Just this week, Microsoft patched one of the flaws used by suspected
North Koreans in attempts to steal information from Western researchers.
But simultaneous discovery happens fairly often, in part
because researchers use the same or similar tools to hunt for serious flaws,
and many eyes are looking at the same high-value targets.
"It is very likely that some actor groups may have
being using these vulnerabilities and led to the result of the attacks being
observed by other information security vendors," Devcore member Bowen Hsu
told Reuters.
But the security industry has been abuzz with other
theories, including a hack of Microsoft's systems for tracking bugs, which has
happened in the past.
0 comments:
Post a Comment