The media continues to report on the Microsoft Exchange hack, likely perpetrated by China. Reports are that at least 30,000 Exchange servers in the United States are impacted and some people say that number is likely way underestimated. On top of that, the number of servers worldwide is maybe ten times that number.
Given all the media attention, you would think that everyone would, at least, install the patches. It appears that AT LEAST 46,000 servers are not patched, according to The Record.
So why is this a big deal? First, the attackers could read any email on those servers. Whatever that might contain. One organization affected was the European Banking Authority. They say that no data was accessed. Sure, we believe them.
Second, the attackers, in many cases, left behind a present called a web shell. It is a way for the attackers to get back in to the server later. Many of our IT partners decided the only way to make sure that the hackers are really out is by rebuilding the servers from bare metal, not a simple task, especially if you have to do that to tens of thousands of servers.
So lets look at the timeline involved. We are getting more details every day and this timeline is interesting. This timeline comes from Brian Krebs, who Chris Krebs, former head of DHS CISA called his brother from another brother (i.e. they are not related).
Security testing firm Devcore says they alerted Microsoft on January 5 – two months ago.
On January 6th, Veloxity spots attacks that use unknown Exchange bugs
On January 8th, Devcore told Microsoft that they had been able to reproduce the bug.
On January 27th Dubex tells microsoft about new attacks on Exchange servers.
On January 29th, Trend Micro reports in their blog about these web shells infecting Exchange servers, but incorrectly says this was allowed by a bug patched last year.
In February, Microsoft tells the folks who reported the bug that they had escalated the problem and that they had a target release date of March’s patch Tuesday, March 9th.
By the end of February, the cat is out of the bag (it is hard to keep good news secret) and security folks are seeing global mass scans of Exchange servers looking for vulnerable systems.
This forces Microsoft’s hand and they released the patches a week before they planned to, now on March 2.
By March 3rd, tens of thousands of Exchange servers have been compromised. Once the patch is out, especially knowing that it is an emergency patch, hackers worldwide reverse engineer the patch, likely within hours of it being released.
By this time it is a national security emergency and everyone from CISA (who told government agencies that they had 48 hours to patch their servers or shut them down) to the White House to the National Security Advisors are sounding the alarm bell.
On March 5th, Chris Krebs, former head of DHS CISA says that the real number of compromised servers dwarfs the numbers being reported.
Needless to say, this is a big problem.
A couple of interesting footnotes.
Microsoft says that Office 365 was not compromised. Why? Don’t know. Possibly their server configuration is different. Possibly, since they knew about the bugs in early January, they were able to tweak their security before the word got out. I vote for number 2. Apparently at this point, now that we know how the attacks work, it is easy to block new attacks.
Second, Microsoft released patches for every supported version of Exchange. That means that the bug goes back, at least, to 2013.
But wait. Microsoft even patched an unsupported version of Exchange – Exchange 2010. That means that the bugs go back at least a decade. Possibly more.
Now here is the answer that we don’t have.
Were these bugs being quietly exploited for years? Remember if you do it quietly, you probably won’t get noticed.
If so, by whom?
The NSA, CIA, Others?
Foreign intelligence agencies – friendly or not?
And if so, what have they stolen?
Likely we will never know the full extent of the attack, but between the SolarWinds hack and the Microsoft Exchange attack, one thing should be clear. We came to a gun fight with a spoon. And if we do not improve on our security efforts, we are going to continue to lose.