China Hacks Exchange Server: Impact on US Small Businesses

Cybersecurity Challenges: U.S. Faces Threats from China and Russia

With potential retaliatory measures against Russia for recent government network intrusions under consideration, the United States is simultaneously confronting escalating cyber threats originating from China.

Hafnium: A China-Backed Hacking Group

Microsoft recently disclosed the activities of a new hacking entity, designated Hafnium, which operates from within China and receives state-level support. This group exploited four previously unknown security flaws – termed zero-day vulnerabilities – to infiltrate at least tens of thousands of organizations.

The compromised systems ran vulnerable Microsoft Exchange email servers, allowing Hafnium to access email accounts and address books. The precise motivations behind these actions remain unclear.

The Scope and Impact of the Attacks

The severity of this hacking campaign stems not only from the ease of exploiting the vulnerabilities but also from the sheer number of affected organizations and the breadth of their reach.

Security experts indicate that the attackers employed automated methods, scanning the internet for susceptible servers and targeting a diverse range of sectors. This included legal firms, policy institutes, defense contractors, and even researchers focused on infectious diseases.

Schools, religious organizations, and local government entities were also among the victims utilizing vulnerable Exchange servers.

Patching Vulnerabilities and Addressing Backdoors

Although Microsoft has released security patches to address the identified vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cautions that these patches only resolve the flaws themselves.

They do not automatically eliminate any backdoors that the hackers may have already established within the compromised systems.

Challenges for Smaller Organizations

Larger organizations, possessing greater resources, are better positioned to investigate potential compromises and prevent further malicious activity, such as the deployment of destructive malware or ransomware.

However, smaller and rural entities often lack the necessary expertise and are largely left to address the situation independently.

Matthew Meltzer, a security analyst at Volexity, notes that many victims rely on local IT providers who specialize in system deployment and management, rather than in responding to sophisticated cyberattacks.

The Recovery Process and Ongoing Threats

Simply applying the patches represents only one aspect of the recovery process. For smaller businesses lacking dedicated cybersecurity personnel, thoroughly cleaning up after the hackers will prove to be the most demanding task.

Furthermore, there is a pressing need to prevent other malicious actors from discovering and exploiting the same vulnerabilities to distribute ransomware or launch destructive attacks. Both Red Canary and Huntress have reported that multiple hacking groups, beyond Hafnium, are actively exploiting these flaws. ESET estimates that at least ten groups are involved.

Widespread Exploitation and Remediation Efforts

Katie Nickels, Director of Intelligence at Red Canary, confirms “clearly widespread activity” exploiting the Exchange server vulnerabilities, although the total number of exploited servers appears to be lower than initially feared.

She emphasizes that removing the initial web shells will be relatively straightforward for most IT administrators, compared to investigating any subsequent malicious activity.

Microsoft has provided guidance for administrators, and CISA offers both advice and a tool to scan server logs for evidence of compromise. The White House’s National Security Council has issued a rare statement, stressing that patching alone is insufficient and urging businesses to implement “immediate measures.”

Coordination and Assistance for Smaller Businesses

The effectiveness of this guidance in reaching smaller businesses will be closely monitored.

Cybersecurity expert Runa Sandvik highlights that many smaller organizations may be unaware of their compromise, and even if they are, they will require detailed, step-by-step instructions on how to proceed.

“Defending against a threat is one aspect, but investigating a potential breach and removing the attacker is a more significant undertaking,” Sandvik explains. “Organizations can install patches, but determining if a breach occurred requires time, tools, and access to logs.”

Global Impact and International Response

While Hafnium primarily targets U.S. organizations, the attacks have a global reach. Europe’s banking authority has confirmed that its Exchange email servers were compromised.

Norway’s national security authority has detected exploitation of these vulnerabilities within the country and is scanning its internet space to notify affected server owners. Slovenia’s cybersecurity response unit, SI-CERT, has also alerted potential victims.

Sandvik suggests that improved coordination between the U.S. government and the private sector is crucial, given the widespread impact on U.S. businesses. CISA was recently granted new powers to subpoena internet providers to identify owners of vulnerable systems, as part of the government’s annual defense bill.

“Someone needs to take ownership of this issue,” Sandvik concludes.

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.