Exchange Server patching and mitigation race to keep pace with exploitation. A low-tech SMS snooping method.
Hafnium’s cyberespionage campaign exploiting now-patched Exchange Server zero days morphed, in late February, into multiple campaigns conducted by both state-directed and criminal threat actors. France 24’s account of the incident bears out their headline: it’s become a “global crisis.”
Criminal interest in exploiting unpatched Exchange Servers continues unabated. Check Point says it’s observed attacks increase by an order of magnitude over the past week. KnowBe4 reports a similar rise in account impersonation attempts.
CISA has updated its advice on dealing with Microsoft Exchange Server exploitation to include notes on China Chopper webshells being used against victims. The UK’s National Cyber Security Centre (NCSC), like its counterparts in the US, Germany, and elsewhere, has urged all organizations, both public and private, to apply Microsoft’s patches as soon as possible. They also recommend that all organizations look for signs of compromise by threat actors, whether Chinese intelligence services or criminal gangs.
Microsoft itself continues to update guidance on protecting on-premise Exchange Servers from attacks. Yesterday the Microsoft Security Response Center released a new, “one-click mitigation tool” to help users secure both current and out-of-support versions of Exchange Server.
Vice has a disturbing first-person account of how an SMS marketing tool can be abused to redirect messages to a third-party. It’s not an exotic hack: all the bad actors would need to do is sign up for the service (it’s only $16), falsely claim to be the owner of your number, and then have your messages redirected to a number under their control.
Gloss