As more than few lakh companies are exposed their servers running its Exchange email program to potential hacks. The second wave, which began Feb. 26, is highly uncharacteristic of Beijing’s elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. The hack could lead companies to spend more on security software and adopting cloud-based email instead of running their own email servers in-house.
Exchange Server mail and calendar software for corporate and government data centers. The vulnerabilities go back 10 years, and have been exploited by Chinese hackers at least since January. Mandia said his company assesses based on the forensics that two groups of Chinese state-backed hackers in an explosion of automated seeding installed backdoors known as web shells on an as-yet undetermined number of systems. Experts fear a large number could easily be exploited for second-stage infections of ransomware by criminals, who also use automation to identify and infect targets.
IT departments are working on applying the patches, but that takes time and the vulnerability is still widespread. On Monday, internet security company Netcraft said it had run an analysis over the weekend and observed over 99,000 servers online running unpatched Outlook Web Access software.
In Box: First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
The explosion of automated backdoor-creating hacks began five days before Microsoft issued a patch for the vulnerabilities first detected in late January by the cybersecurity firm Volexity. It had found evidence of the vulnerabilities being used as far back as Jan. 3 by Chinese state-backed hackers, who researchers say targeted think tanks, universities, defense contractors, law firms and infectious-disease research centers.
Suddenly, all manner of organizations that run email servers were infected with web shells associated with known Chinese groups, who knowing the patch was imminent rushed to hit everything they could, said Mandia.
They could sense it was going to end-of-life soon, so they just went wild. They machine gun-fired down the stretch, he said in an interview in FireEye’s offices.
It’s possible the second infection wave was not approved at the highest levels of China’s government,” Mandia said.
This doesnt feel consistent with what they normally do, he said. A lot of times theres a disconnect between senior leadership and front-line folks. All I can tell you is it was surprising to me to see four zero days wantonly exploited,” adding, “If you could be exploited by this act, for the most part, you were.
Zero days are vulnerabilities that hackers discover and use to pry open secret doors in software. Their name derives from the countdown to patching that begins after they are deployed. In this case, it took Microsoft 28 days to produce a patch once it was notified.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
