The global cyber attack Microsoft shed light on last week has hit tens of thousands of businesses – and Australia’s feeling the brunt of it as well.
A hacking group based out of China is allegedly behind the assault. Microsoft said that the group, known as HAFNIUM, embarked on a sophisticated attack on the company’s popular email software, Microsoft Exchange, installing malware that has left thousands of servers vulnerable.
The hack focused on web-shelling, a process in which hackers access email accounts and install malicious software that enable them to revisit vulnerable servers at later stages.
With over 7,000 Microsoft Exchange servers left potentially vulnerable across Australia, the country has the fourth-highest number of vulnerable servers in the world. The United States holds 31,000, Germany has 17,000 and the UK has 11,000.
Microsoft sent out emergency patches last week for what are described as “zero-day exploits”, the name referring to the amount of time developers have to repair services after this type of digital assault.
“The attacks included three steps,” Microsoft explained in a blog post.
“First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
Businesses around the world are being warned to update their software as soon as possible in order to close the back door that this attack can leave wide open.
In the US, where at least 30,000 organisations have had their email accounts left exposed, the Biden Administration has put together an emergency taskforce to address the attack.
“This is a significant vulnerability that could have far-reaching impacts,” said White House press secretary Jen Psaki.
“We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”
The US Cybersecurity and Infrastructure Security Agency issued an Emergency Directive requiring that all federal civilian departments and agencies running Microsoft Exchange either “update or disconnect the products from their networks until updated with the Microsoft patch.”
The Australian Signals Directorate’s Australian Cyber Security Centre is also calling for patches to be urgently implemented, pointing out the four Common Vulnerabilities and Exposures:
- CVE-2021-26855 – server-side request forgery (SSRF) vulnerability in Exchange.
- CVE-2021-26857 – insecure deserialization vulnerability in the Unified Messaging service.
- CVE-2021-26858 – post-authentication arbitrary file write vulnerability in Exchange.
- CVE-2021-27065 – post-authentication arbitrary file write vulnerability in Exchange.
While there are calls for businesses and organisations to tackle the vulnerabilities, there remains a concern that many will not understand the time-sensitive scenario at hand or will simply not have the capabilities to do so.
“When zero-day vulnerabilities are found and reported, the advisories are almost always extremely technical. Unfortunately, this means only specialist teams understand the implications,” said Ian Yip, CEO of cybersecurity software company Avertro.
“The typical advice that gets communicated in these situations is to patch the vulnerable infrastructure components immediately. What’s usually difficult to ascertain for most organisations, is how “immediate” everything needs to be.
“Taken in a macro-context, leadership needs to factor in the implications to the business. Will business continuity be impacted? What are the risks of patching immediately versus tomorrow or over the weekend? Is the cyber risk higher than the commercial risk? The information required for business leadership to make decisions in these kinds of situations is inadequate and we need to do better as an industry to make things more understandable at all levels.”