The fallout from critical Microsoft software bugs exploited by suspected Chinese hackers deepened on Saturday as incident responders warned that state and local organizations across the U.S. could be exposed to the vulnerabilities.
Federal officials rushed to get a better sense of the potential impact of the hacking amid multiple media reports that tens of thousands of organizations could be affected by vulnerabilities as other hacking groups, in addition to the alleged Chinese, moved to exploit bugs in widely used Microsoft technology.
Officials at the Department of Homeland Security’s cybersecurity agency held phone briefings with state and local officials Friday and Saturday to assess the scope of the compromises, and the White House National Security Council urged vulnerable organizations to “take immediate measures” to determine if they were affected. Two DHS officials said the agency was still gathering data on how many organizations might be breached.
The malicious activity amounts to the second major set of cyber incidents facing the Biden administration, which is already coping with a suspected Russian hacking campaign that has exploited software made by federal contractor SolarWinds and other vendors.
“We have two state counties that have seen some indicators of compromise,” said one state official who was on a DHS briefing on the most recent hacking. “Obviously this is a big F’ing deal.”
Alleged Chinese spies have been using flaws in the popular email software program Exchange Server to steal emails from targeted institutions, Microsoft said Tuesday. But the exposure of other organizations that don’t apply the software patches has grown dramatically in recent days as other attackers have pounced on the vulnerabilities.
Officials in Norway and Czech Republic are also investigating breaches tied to the software flaws.
“If an organization hasn’t seen exploitation attempts yet, and they haven’t patched, then exploitation is imminent,” said Sean Koessel, co-founder of security firm Volexity, which tipped Microsoft off to some of the malicious activity.
The Exchange Server intrusions, which are a burden on federal and corporate incident responders already straining to deal with the alleged Russian hacking, are affecting resource-strapped organizations.
“Some local officials I have talked to don’t have the IT support to check or aren’t sure what to do if they find activity,” said Matt Masterson, a former senior election security official at DHS. “They need to seek state, federal or private-sector assistance as soon as possible.”
A precise tally of the number of state and local organizations and U.S. businesses vulnerable to the Exchange Server hacking was elusive. Two people helping respond to the breaches estimated that tens of thousands of organizations could be affected by the malicious activity coming from multiple groups.
Those people cautioned, however, that the amount of exploitation seemed to be changing by the hour and no one organization had total visibility of the activity. Delineating between organizations that are vulnerable and those that have been hacked is also an ongoing process. A third security expert who has analyzed the attacks said it was unlikely that anyone knew the true number of victims.
Independent journalist Brian Krebs first reported on the potential scope of the breaches.
“It’s likely that attackers are in an ‘exploit the world’ phase right now, and they will probably come back to these backdoors at some organizations at a later point in time to continue the attacker phases like lateral movement and data theft,” said Chris DiGiamo, principal security architect at Mandiant, security firm FireEye’s incident response arm.
“However, we have also identified some attackers that are immediately cutting to the chase and trying to steal data too,” DiGiamo added.
One cause for optimism among organizations responding to the Exchange Server attacks is that many of them are automated, said Charles Carmakal, senior vice president and chief technology officer at Mandiant. “Knowing the common post-exploitation activities performed by these automated attacks gives defenders the opportunity to clean up many compromised systems through automated malware detection and removal.”
DHS’s Cybersecurity and Infrastructure Security Agency on Wednesday ordered federal civilian agencies to update their software, when appropriate, in response to the threat.
“High levels of the [National Security Council] are working to address the incident, working with our public and private partners, and looking closely at the next steps we need to take,” a White House official told CyberScoop. “This is an active threat still developing and we urge network operators to take it very seriously.”