The Federal Office for Information Security (BSI) has warned of an IT security FISCO based on several critical vulnerabilities in various versions of Microsoft’s Exchange Server. Thousands of computers with groupware software in Germany alone can be attacked on an intermittent basis on the Internet and “already infected with malware with a high degree of probability,” according to the Schoder search data authority, which explains the engine Specializes in Internet of Things.
More attacks with a little effort
“Organizations of all sizes are affected,” BSI writes. There is already one in the office for this Security warning issued. In view of the increased risk, it has begun to directly inform people who are potentially affected. On Friday, the management of more than 9,000 medium-sized companies wrote to him by post and recommended Countermeasures. The agency estimates that the actual number of vulnerable systems in Germany is much higher.
The BSI has advised all operators of the affected Exchange Server to immediately import security updates provided by Microsoft. The vulnerabilities thus closed are currently being “actively exploited by a group of attackers”. “In addition, Exchange Server has high rights in Active Directory by default in many infrastructures,” warns the office. It is therefore predictable that further attacks with the rights of a system that might have been taken could “potentially compromise the entire domain with another attempt”.
Small and medium-sized businesses often have security gaps
In the case of servers that have not yet been patched, BSI has assumed that these are already taken over by criminal hackers and controlled by them. There is currently a very high risk of attack due to the simple exploitation of vulnerabilities, as well as the public availability of exploit codes for “robust worldwide scanning activities”. The incomparable exchange system must also be checked for abnormalities in the form of urgency. BSI Status Center is on duty around the clock Current information available.
To make matters worse, according to the authority, thousands of systems still have gaps that have been known for over a year and have not yet been patched. This is often the case for small and medium-sized companies. In addition to access to the e-mail communications of the respective companies, attackers can often gain access to the entire company network through such vulnerable servers.
Hacker group possibly works for Chinese government
The US Cyber Security and Infrastructure Security Agency (CISA) arrived on Wednesday Directed all federal agencies with emergency policyTo apply the current patch to the exchange. He justifies the use of this rarely used tool with an unacceptable risk of inactivity, as vulnerabilities would be extensively exploited and attackers would thus gain “permanent system access”.
Microsoft sees hacking group Hafnim behind a wave of attacks, which according to the group is “very likely” for the Chinese government and for spying on US targets. The attackers had already targeted health care researchers, law firms, civil society organizations, educational institutions and defense companies.
Focus on email traffic
According to the Cancer on Security portal, at least 30,000 organizations have been in the US in the last few days Was hacked by a particularly aggressive cyber espionage force. These include many medium-sized companies, but also city and municipal administrations. The attackers are particularly keen on the facilities’ e-mail traffic.
In every event, the report stated that intruders left behind a “web shell”, an easy-to-use, password-protected hacking tool that could be accessed on the Internet from any browser with administrator rights. According to cyber security experts, the group has already taken control of hundreds of thousands of Exchange servers worldwide.
Foreign government spies
According to Microsoft, the first signs of exchange vulnerabilities came from Virginia IT security company Volexity. Its owner, Steven Adair, said the company was working in dozens of cases in which web shells were placed on target systems on February 28 before Microsoft released the update. Even if the hole was patched on Wednesday, there is a high probability that the hacker software is already on a vulnerable server. Following the so-called Solarwinds hack, the new wave of attacks marks the second case of a massive cyber campaign behind which the US sees spies of foreign governments at work.