The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: More hackers jump to take advantage of a widespread Microsoft security flaw

Placeholder while article actions load

with Aaron Schaffer

Government officials and cybersecurity experts are scrambling to stem the damage from a security flaw in Microsoft Exchange that has allowed hackers to infiltrate the servers of at least 30,000 U.S. organizations.

The growing number of hackers taking advantage has just made that task much more difficult.

Since Microsoft and cybersecurity firm Volexity first attributed the breach to Halfnium, a group of hackers they tied to China, cybersecurity researchers say there are more groups getting in on the action. 

“It’s a frenzy, says Steven Adair, president of Volexity, which first discovered the problem. 

Adair described the race to take advantage of the tens of thousands of servers that have not yet been secured as a golden opportunity.” 

Researchers at cybersecurity firm ESET say at least ten different groups are taking advantage of the Exchange server vulnerability. 

They have identified more than 5,000 servers across more than 115 counties affected by the activity. All but one of the groups focused on espionage – stealing data for the benefit of governments, ESET found. 

Ben Read, director of analysis at FireEye's Mandiant Threat Intelligence group, said its data also shows multiple likely-China groups using the exploit in different waves, matching what ESET has seen,” though he could not directly confirm its research.  

In addition to the Chinese groups, at least one Russian-language criminal group appears to have gotten in on the action, cybersecurity firm Recorded Future told Ellen Nakashima

Palo Alto Networks estimated earlier this week that there remained more than 125,000 Exchange servers that are still vulnerable to new attacks. That number is dropping, indicating that a push by Microsoft and the government for companies to roll out a fix is working. In some cases, researchers say attackers piggybacked on other groups' remote access into the systems before they could be secured. 

The consequences of the attacks could be long-lasting and far-reaching, government officials warn.

FBI and [Cybersecurity and Infrastructure Security Agency] assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack, the agencies wrote in a joint warning yesterday. Adversaries may also sell access to compromised networks on the dark web.

The agencies said that the attacks “are consistent with previous targeting activity by Chinese cyber actors.”

Researchers share the government's concerns that criminal hackers could use their access to lock up people's data and demand money. It is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,” ESET researcher Matthieu Faou said in a statement.

Absolutely ransomware is a concern that I have about all these systems that still remain unpatched, agreed Ryan Olson, vice president of threat intelligence at Palo Alto Networks. 

The biggest question is what hackers were able to do when they were in the network.

Researchers say that booting the hackers wouldn't necessarily be technically challenging, but assessing the damage could be time consuming. There are a number of scenarios that companies will have to look out for – including an investigation into whether documents were stolen, if hackers moved into other systems, or acquired passwords that could be used to create ways to let them back in later. 

It's a significant undertaking for any organization, let alone the small businesses and local governments that were widely hit by the attacks, says Adair.

The attacks' large number of victims also presents a hurdle to stemming more damage. Law enforcement is currently scrambling to reach potential victims in government and critical industries.  "The process of trying to notify potentially thousands of compromised victims is a huge challenge," says Katie Nickels, director of intelligence at cybersecurity firm Red Canary.

The government stepped up its action this week. 

The White House's National Security Council on Tuesday formally convened an interagency group to coordinate a response effort to the attack this week, building off efforts from U.S. government agencies since the breach was discovered, an NSC spokesperson said in a statement. 

The White House is also coordinating with the private sector, and the administration and Microsoft are scheduled to brief the Senate Intelligence Committee on the attacks this week. President Biden has been briefed and is tracking this issue closely, the spokesperson said.

The keys

A watchdog said the U.S. civilian cybersecurity agency needs to make improvements.

The third phase of a plan to streamline the Cybersecurity and Infrastructure Security Agency (CISA) hasn’t yet been implemented, the Government Accountability Office said in a report. The watchdog said that CISA, which was spun off a Department of Homeland Security (DHS) office in 2018, did not complete 43 of the 94 tasks it had planned to update the agency's organization by February 2021. That included finalizing the roles of each division of the agency. 

The watchdog noted that “it may be difficult for [CISA] to identify and respond to cybersecurity incidents” like the cyberattack on SolarWinds and other software until it makes those changes. “We concur with the recommendations and will continue to work tirelessly to grow our capabilities and strengthen the partnerships with our stakeholders,” CISA acting director Brandon Wales said in a statement.

Cybersecurity officials told Congress they need more funding.

Acting CISA director Brandon Wales and the agency’s executive assistant director of cybersecurity, Eric Goldstein, said that the agency needs the money to hunt for vulnerabilities in government networks and better respond to cybersecurity incidents, The Hill’s Maggie Miller reports. They testified before a House Appropriations Committee panel as the House passed a coronavirus relief package that includes $650 million for the cybersecurity agency.

“$650 million is a down payment. It accelerates some of these efforts, but this is going to require sustained investment,” Wales said. “It will also increase the visibility for agencies themselves, and those agencies themselves are going to need additional resources to make sure they can fully leverage the improved capabilities that we will be deploying.”

The FBI warned that deceptive videos will become more pervasive.

“Deepfake” videos using artificial intelligence to impersonate real people are expected to ramp up in the near future, the FBI warned in a message to businesses. The bureau said that it anticipates that content will have a “more severe and widespread impact” because of their increasing sophistication, and that businesses should be on alert for hackers impersonating and tricking employees.

In 2019, a distorted video of House Speaker Nancy Pelosi (D-Calif.) ricocheted across social media, increasing alarm bells about manipulated videos ahead of the 2020 election. Experts told Congress that deepfakes would only get worse.

Hill happenings

Sen. Ron Wyden (D-Ore.) warned of the overreach of surveillance in the wake of a massive breach.

Wyden said that a hacker collective’s breach of thousands of security cameras produced by Verkada “exposes the threat that government and private surveillance will be turned against law-abiding Americans by criminals, predators and spies,” Bloomberg News’s William Turton and Ryan Gallagher report. Hackers were able to access real-world images and videos as well as the company’s client list, which included more than 24,000 organizations, my colleague Drew Harwell reports. Employees told Bloomberg that high-level administrator accounts were widespread in the company, with even interns having access to tens of thousands of cameras.

Cyber insecurity

Giant datacenter fire takes down government hacking infrastructure (Motherboard)


  • A House Judiciary committee panel holds a hearing on technology competition and the press on Friday at 10 a.m. Microsoft president Brad Smith, whose company said China and other hackers attacked its email software recently, is expected to testify.
  • Former Google CEO Eric Schmidt, the chairman of a government commission on artificial intelligence, testifies with other commissioners at a joint hearing on Friday at 11 a.m.
  • Homeland Security Secretary Alejandro Mayorkas testifies before the House Homeland Security Committee at 9:30 a.m. on March 17.

Chat room

CrowdStrike co-founder Dmitri Alperovitch has some tough love for those running Microsoft Exchange:

Kevin Beaumont, a senior threat intelligence analyst at Microsoft's threat intelligence division. 

Emily's List chief technology officer and chief information security officer:

Secure log off