Date | |
---|---|
Location | Global |
Type | Cyberattack, data breach |
Cause | Microsoft Exchange Server zero-day vulnerabilities [4] |
First reporter | Microsoft (public disclosure) [3] |
Suspects | Hafnium, [5] [6] and at least nine others. [7] |
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021 [update] , it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, [8] as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF). [9] [10] [11] [12] [13] [14]
On 2 March 2021, Microsoft released updates for Microsoft Exchange Server 2010, 2013, 2016 and 2019 to patch the exploit; this does not retroactively undo damage or remove any backdoors installed by attackers. Small and medium businesses, local institutions, and local governments are known to be the primary victims of the attack, as they often have smaller budgets to secure against cyber threats and typically outsource IT services to local providers that do not have the expertise to deal with cyber attacks. [15]
On 12 March 2021, Microsoft announced the discovery of "a new family of ransomware" being deployed to servers initially infected, encrypting all files, making the server inoperable and demanding payment to reverse the damage. [16] On 22 March 2021, Microsoft announced that in 92% of Exchange servers the exploit has been either patched or mitigated. [17]
Microsoft Exchange is considered a high-value target for hackers looking to penetrate business networks, as it is email server software, and, according to Microsoft, it provides "a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance." [18] In the past, Microsoft Exchange has been attacked by multiple nation-state groups. [19] [20]
On 5 January 2021, security testing company DEVCORE made the earliest known report of the vulnerability to Microsoft, which Microsoft verified on 8 January. [21] The first breach of a Microsoft Exchange Server instance was observed by cybersecurity company Volexity on 6 January 2021. [1] By the end of January, Volexity had observed a breach allowing attackers to spy on two of their customers, and alerted Microsoft to the vulnerability. After Microsoft was alerted of the breach, Volexity noted the hackers became less stealthy in anticipation of a patch. [22]
On 2 March 2021, another cybersecurity company, ESET, wrote that they were observing multiple attackers besides Hafnium exploiting the vulnerabilities. [4] Wired reported on 10 March that now that the vulnerability had been patched, many more attackers were going to reverse engineer the fix to exploit still-vulnerable servers. Analysts at two security firms reported they had begun to see evidence that attackers were preparing to run cryptomining software on the servers. [23]
On 10 March 2021, security researcher Nguyen Jang posted proof-of-concept code to Microsoft-owned GitHub on how the exploit works, totaling 169 lines of code; the program was intentionally written with errors so that while security researchers could understand how the exploit works, malicious actors would not be able to use the code to access servers. Later that day, GitHub removed the code as it "contains proof of concept code for a recently disclosed vulnerability that is being actively exploited". [24] [25] On 13 March, another group independently published exploit code, with this code instead requiring minimal modification to work; the CERT Coordination Center's Will Dormann said the "exploit is completely out of the bag by now" in response. [26]
The attacks came shortly after the 2020 United States federal government data breach, which also saw the compromising of Microsoft's Outlook web app and supply chain. Microsoft said there was no connection between the two incidents. [27]
Microsoft said that the attack was initially perpetrated by the Hafnium, a Chinese state-sponsored hacking group (advanced persistent threat) that operates out of China. [5] [22] [6] [26] Hafnium is known to install the web shell China Chopper. [26] Microsoft identified Hafnium as "a highly skilled and sophisticated actor" that historically has mostly targeted "entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs." [28] Announcing the hack, Microsoft stated that this was "the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society." [28] As of 12 March 2021, there were, in addition to Hafnium, at least nine other distinct groups exploiting the vulnerabilities, each different styles and procedures. [7] [29]
The Chinese government denied involvement, calling the accusations "groundless." [22] [30]
In a July 19, 2021 joint statement, the US, UK, EU, NATO, and other Western nations accused the Ministry of State Security (MSS) of perpetrating the Exchange breach, along with other cyberattacks, "attributing with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021." [31] [32] [33] [34]
Hackers took advantage of four separate zero-day vulnerabilities to compromise Microsoft Exchange servers' Outlook Web Access (OWA), [2] giving them access to victims' entire servers and networks as well as to emails and calendar invitations, [4] only at first requiring the address of the server, which can be directly targeted or obtained by mass-scanning for vulnerable servers; the attacker then uses two exploits, the first allowing an attacker to connect to the server and falsely authenticate as a standard user. With that, a second vulnerability can then be exploited, escalating that user access to administrator privileges. [35] [36] The final two exploits allow attackers to upload code to the server in any location they wish, [36] that automatically runs with these administrator privileges. Attackers then typically use this to install a web shell, providing a backdoor to the compromised server, [37] which gives hackers continued access to the server as long as both the web shell remains active and the Exchange server remains on. [29]
Through the web shell installed by attackers, commands can be run remotely. Among the actions observed are the downloading of all emails from servers, downloading the passwords and email addresses of users as Microsoft Exchange stores these unencrypted in memory, adding users, adding further backdoors to affected systems, accessing other systems in the network that are unsusceptible to the original exploit, and installing ransomware. [38] As patching the Exchange server against the exploit does not retroactively remove installed backdoors, attackers continue to have access to the server until the web shell, other backdoors and user accounts added by attackers are removed. [39]
On 27 and 28 February 2021, there was an automated attack, and on 2 and 3 March 2021, attackers used a script to return to the addresses to drop a web shell to enable them to return later. [29] Referring to the week ending 7 March, CrowdStrike co-founder Dmitri Alperovitch stated: "Every possible victim that hadn't patched by mid-to-end of last week has already been hit by at least one or several actors". [40] After the patch was announced, the tactics changed when using the same chain of vulnerabilities. [29] [41]
Microsoft Exchange Server versions of 2010, 2013, 2016 and 2019 were confirmed to be susceptible, although vulnerable editions are yet to be fully determined. [42] Cloud-based services Exchange Online and Office 365 are not affected. [43]
Hackers have exploited the vulnerabilities to spy on a wide range of targets, affecting an estimated 250,000 servers. [11] [44] Tom Burt, Microsoft's vice president for Customer Security & Trust, wrote that targets had included disease researchers, law offices, universities, defense contractors, non-governmental organizations, and think tanks. [28] [9] [45]
Automatic updates are typically disabled by server administrators to avoid disruption from downtime and problems in software, [46] and are by convention installed manually by server administrators after these updates are tested with the existing software and server-setup; [47] as smaller organizations often operate under a smaller budget to do this in-house or otherwise outsource this to local IT providers without expertise in cybersecurity, this is often not done until it becomes a necessity, if ever. This means small and medium businesses, and local institutions such as schools and local governments are known to be the primary victims of the attack as they are more likely to not have received updates to patch the exploit. Rural victims are noted to be "largely on their own", as they are typically without access to IT service providers. [15] On 11 March 2021, Check Point Research revealed that in the prior 24 hours "the number of exploitation attempts on organizations it tracks tripled every two to three hours." [48] [49]
Check Point Research has observed the United States as being the most attacked country with 17% of all exploit attempts, followed by Germany with 6%, the United Kingdom and the Netherlands both at 5%, and Russia with 4% of all exploits; government/military is the most targeted sector with 23% of exploit attempts, followed by manufacturing at 15%, banking and financial services at 14%, software vendors with 7% and healthcare at 6%. [26] [50]
The attack was discovered after attackers were discovered downloading all emails belonging to specific users on separate corporate Exchange servers. [38] An undisclosed Washington think tank reported attackers sending convincing emails to contacts in a social engineering attack that encouraged recipients to click on a link. [45] On 11 March 2021, Norway's parliament, the Storting, reported being a victim of the hack, stating that "data has been extracted." [51]
The European Banking Authority also reported that it had been targeted in the attack, [10] later stating in a press release that the scope of impact on its systems was "limited" and that "the confidentiality of the EBA systems and data has not been compromised". [52]
Security company ESET identified "at least 10" advanced persistent threat groups compromising IT, cybersecurity, energy, software development, public utility, real estate, telecommunications and engineering businesses, as well as Middle Eastern and South American governmental agencies. One APT group was identified deploying PowerShell downloaders, using affected servers for cryptocurrency mining. [7] Cybereason CEO Lior Div noted that APT group Hafnium "targeted small and medium-sized enterprises ... The assault against Microsoft Exchange is 1,000 times more devastating than the SolarWinds attack." [53]
On 12 March 2021, Microsoft Security Intelligence announced "a new family of ransomware" called DearCry being deployed to the servers that had been initially infected, encrypting device contents, making servers unusable and demanding payment to recover files. [16] Microsoft stated: "There is no guarantee that paying the ransom will give you access to your files." [54]
On 18 March 2021, an affiliate of ransomware cybergang REvil claimed they had stolen unencrypted data from Taiwanese hardware and electronics corporation Acer, including an undisclosed number of devices being encrypted, with cybersecurity firm Advanced Intel linking this data breach and ransomware attack to the Microsoft Exchange exploits. Advanced Intel detected one of Acer's Microsoft Exchange servers first being targeted on 5 March 2021. REvil has demanded a $50 million U.S. dollar ransom, claiming if this is paid they would "provide a decryptor, a vulnerability report, and the deletion of stolen files", and stating that the ransom would double to $100 million U.S. dollars if not paid on 28 March 2021. [55]
On 2 March 2021, the Microsoft Security Response Center (MSRC) publicly posted an out-of-band Common Vulnerabilities and Exposures (CVE) release, urging its clients to patch their Exchange servers to address a number of critical vulnerabilities. [3] On 15 March, Microsoft released a one-click PowerShell tool, The Exchange On-Premises Mitigation Tool, which installs the specific updates protecting against the threat, runs a malware scan which also detects installed web shells, and removes threats that were detected; this is recommended as a temporary mitigation measure, as it does not install other available updates. [56]
On 3 March 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive forcing government networks to update to a patched version of Exchange. On 8 March, CISA tweeted what NBC News described as an "unusually candid message" urging "ALL organizations across ALL sectors" to address the vulnerabilities. [57] [58]
Other official bodies expressing concerns included the White House, Norway's National Security Authority and the Czech Republic's Office for Cyber and Information Security. [59] [60] On 7 March 2021, CNN reported that the Biden administration was expected to form a task force to address the breach; [61] the Biden administration has invited private-sector organizations to participate in the task force and will provide them with classified information as deemed necessary. U.S. National Security Advisor Jake Sullivan stated that the U.S. is not yet in a position to attribute blame for the attacks. [48]
In July 2021, the Biden administration, along with a coalition of Western allies, formally blamed China for the cyber attack. The administration highlighted the ongoing threat of from Chinese hackers, but did not accompany the condemnation with any form of sanctions. According to White House press secretary Jen Psaki, the administration is not ruling out future consequences for China. [62]
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.
A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to organizations' cyber security but many were not implemented due to ignorance of their importance. Some have claimed a need for 24/7 operation, aversion to risking having formerly working applications breaking because of patch changes, lack of personnel or time to install them, or other reasons.
EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.
Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.
The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.
In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.
Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.
On April 20, 2021, it was reported that suspected Chinese-state backed hacker groups had breached multiple government agencies, defense companies and financial institutions in both the US and Europe after the hackers created and used a Zero-day exploit for Ivanti Pulse Connect Secure VPN devices. A Cybersecurity and Infrastructure Security Agency alert reported that the attacks using the exploited started in June 2020 or earlier. The attacks are believed to be the third major data breach against the U.S. in the past year behind the 2020 United States federal government data breach and the 2021 Microsoft Exchange Server data breach.
Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.
A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.