Update: The White House officially confirmed on 19 July that China was behind the Microsoft Exchange Server hack.
The Biden administration has pledged to officially blame the country behind the recent large-scale Microsoft Exchange Server exploitation in the “near future” as it continued to urge organisations to install critical security patches after ransomware was detected on huge numbers of compromised systems.
Hundreds of thousands of on-premises Microsoft Exchange Servers around the world are believed to be exposed to the recently revealed zero-day exploits targeting the tech giant’s mail and calendar product.
Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March.
But the US government has so far refrained from pointing the blame at the country responsible for one of the largest cyberattacks in recent memory. Historically states have been hesitant to publicly accuse other countries of committing cyberattacks.
On Friday, US National Security Advisor Jake Sullivan told press that he wasn’t able to provide attribution just yet, but promised an update soon.
“But I do pledge to you that we will be in a position to attribute that attack at some point in the near future, and we won’t hide the ball on that,” he said. “We will come forward and say who we believe perpetrated the attack.”
The Exchange hits come as the US is still reeling from the SolarWinds hack that saw multiple federal agencies and thousands of private companies compromised. Russian state-sponsored hacking groups are believed to be responsible for that cyberattack. The two incidents have put mounting pressure on President Joe Biden to respond, with reports indicating some form of retaliation may occur in the coming weeks.
At the recent Quad Summit, Biden discussed the Exchange hack with counterparts in Australia, Japan and India, which have also been affected by the cyber campaign.
His administration has also invited the private sector to take part in a multi-agency task force addressing the Exchange Server vulnerabilities as the number of victims continues to rise. A White House official told reporters on Friday that the window for patching is “measured in hours, not days”.
Exchange hack sparks ransomware threat
On 2 March Microsoft released security fixes for four Exchange vulnerabilities that allow threat actors to steal email data or install malicious software that could give them complete remote control over affected systems.
This has led to ordinary criminal hacking groups rushing to use vulnerabilities to infect organisations with file-encrypting ransomware before admins could patch their systems.
Last week Microsoft warned it had detected DoejoCrypt ransomware being spread on Exchange hack victims’ systems.
“This attack vector may be particularly attractive to ransomware operators because it is an especially efficient means of gaining domain admin access,” said John Hultquist, VP of analysis at cybersecurity firm Mandiant Threat Intelligence. “That access enables them to deploy encryption across the enterprise. In cases where organisations are unpatched, these vulnerabilities will provide criminals a faster path to success.”
While the attack was initially launched by Hafnium it has now become a lucrative opportunity for comparatively ordinary cybercriminal gangs around the world. Slovak internet security firm ESET said it has seen at least 10 criminal gangs exploiting the Exchange flaws.
Victims include small businesses, hospitals, schools, governments, universities and cities. Known victims include the European Banking Authority and the Norwegian Parliament.
Growing evidence suggests that smaller organisations are disproportionately affected because they are less likely to have migrated to Microsoft Exchange Online, which is unaffected by the zero-day exploits.
“Unfortunately, many of the remaining vulnerable organisations will be small and medium sized businesses, state and local government, and schools, which will struggle to keep up with the deluge of actors leveraging this increasingly available exploit,” said Hultquist.
Sullivan said the US government was “still trying to determine the scope and scale”, but estimates put the number of affected organisations in the hundreds of thousands.
Threat intelligence firm RiskIQ said on Thursday it had detected over 82,000 servers worldwide that had yet to be patched. However that number appears to be in decline from the 400,000 unpatched servers it detected at the beginning of the month, suggesting the warnings to patch are being heeded.
Palo Alto Networks came to a similar conclusion, with 80,000 Exchange servers unpatched as of Thursday – 20,000 of them in the US.
However, patching alone is not enough as it does not remove any malware that may have been put in place by cybercriminals that have already compromised the network.
The US National Security Council (NCSC) warned that CIOs and CISOs should not just patch and relax, tweeting:
“Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organisation with a vulnerable server take immediate measures to determine if they were already targeted.”
On Friday the UK’s National Cyber Security Centre urged organisations running on-prem Exchange to install the latest updates “immediately”. If updates cannot be installed, then companies should implement Microsoft’s mitigations. Those unable to do so should isolate Exchange Server from the internet, the agency said.
The NCSC “strongly advises” those affected to “proactively search systems for evidence of compromise”.
Paul Chichester, NCSC director for operations, said:
“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks.
“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates.”
On Tuesday UK Prime Minister Boris Johnson is expected to commit to taking a “full-spectrum” approach to cyber as part of the government’s Integrated Review on foreign and defence policy. It follows the creating of the National Cyber Force last year, which has the capacity to conduct offensive cyber operations.