The head of Germany‘s cybersecurity watchdog said Wednesday (March 10) that more than 60,000 computer systems in Germany were exposed to a Microsoft vulnerability and that Hackers were breaking into them through a vulnerability in the company’s email software.
Research has also found that several suspected Chinese Communist hacker groups are operating at the same Time to exploit the vulnerability in a rare way to break into the global network.
Arne Schoenbohm, head of Germany’s Federal Office for Information Security (BSI), said Wednesday that more than half of the vulnerabilities have been resolved after a Microsoft vulnerability warning was issued last week, but about 25,000 computers still need to be fixed.
The vulnerability is said to have been widely exploited by multiple hackers and has affected more than 20,000 U.S. institutions. In addition, the European Union’s banking regulator and the Norwegian Parliament were also affected.
In a 14-page Microsoft vulnerability report issued Wednesday, Germany’s Federal Office for Information Security said the hacking behavior that exploited the vulnerability has changed dramatically since the Microsoft bug was publicly disclosed.
Initially, most of the targets attacked were think tanks, universities, non-governmental organizations, law firms and defense companies, the vast majority of which were U.S. entities. But now it is found that “[hackers] are deploying the vulnerability on a large scale against thousands of targets – apparently on a global scale.”
Several suspected Chinese Communist hacking groups operating simultaneously to exploit Microsoft vulnerabilities
Another troubling finding is the rare simultaneous appearance of multiple hacking groups working with the same vulnerability. Researchers at ESET, a cybersecurity firm, said at least 10 different hacking groups are exploiting Microsoft’s email software vulnerabilities to compromise targets around the world.
ESET researcher Matthieu Faou told Reuters by email that it was “unusual” for 10 different cyber espionage groups to get the same information before the Microsoft vulnerability was made public.
He speculated that there could only be two possibilities, either the information was “somehow leaked” before Microsoft announced it, or the vulnerabilities were discovered by third parties and then provided to cyber espionage groups.
ESET’s blog post on Wednesday also mentioned that signs of cybercriminals exploiting Microsoft vulnerabilities have been found, with a group that specializes in stealing computer resources to mine cryptocurrencies breaking into vulnerable Microsoft Exchange servers to spread its malware.
Exchange servers are used for work email and calendar services and primarily serve large organizations with standalone email servers.
ESET also named nine other groups focused on espionage that are known to be using Microsoft vulnerabilities to break into targeted networks, several of them with ties to China (the Chinese Communist Party). Moreover, several of these groups appear to have gained insight into the vulnerability before Microsoft announced it on March 2.
Ben Read, a manager at cybersecurity firm FireEye Inc, said he could not confirm the specific details in the ESET blog post, but that his company also saw “multiple groups that could be (pointing to the hackers) from China.
Multiple countries take remedial action over Microsoft breach
Two German federal agencies were also affected by the hack, but BSI declined to give details.
BSI said it has been contacted by about 100 companies, ranging from small businesses to large corporations, seeking cybersecurity guidance since the weekend, far more than the usual number of requests.
BSI said they are in contact with computer emergency response teams (CERTs) in Europe and abroad, particularly the U.S. Cybersecurity and Infrastructure Security Agency (CISA); it is also in close contact with Microsoft.
Currently, many Microsoft Exchange servers in Germany have been secured by downloading patches.
Microsoft identified the culprit of the Cyber Attack as a Chinese cyber espionage group called Hafnium on March 2, and subsequently provided users with a software patch.
The Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security had issued a rare emergency directive last week asking federal government agencies to immediately patch or disconnect products running Microsoft Exchange software and encouraging patching of systems for fixes.
CISA then urged users to scan Exchange server logs with Microsoft’s IOC detection tool to help determine if they have been hacked.
The White House National Security Council also warned via Twitter that patches and mitigation measures no longer work if users have been hacked; it called on any agency with vulnerable servers to take immediate steps to determine if they have been targeted.
The Wall Street Journal previously reported that if the cyberattack by suspected Russian hackers against U.S. government systems and businesses revealed last December was likened to a surgically precise attack that hit roughly 100 companies and nine government agencies, the suspected Chinese hackers’ cyberattack on U.S. companies and institutions through a Microsoft vulnerability was more like a shrapnel attack that has caused tens of thousands of or more.
Recent Comments