The Mechanics Behind the Latest Microsoft Exchange Hack

March 22, 2023

On January 2021, a major attack on Microsoft took place that leveraged the business email program. By March, the attack spiralled out of control and became a global cybersecurity issue in which threat actors managed to infect thousands of companies.

First Report and Condemnation of the Cyber Attack

Volexity had first reported that attackers were actively exploiting a vulnerability in the Microsoft Exchange email server on January 6th. Unfortunately, this was the time when the US Capitol riot became the focus of the media, diverting attention away from the major finding. The Biden administration has since been openly claiming Chinese involvement in the Exchange hack that compromised thousands of computers systems.

Following this statement, Microsoft affirmed that the alleged Chinese cyberattack has had many victims throughout the world, with most affected being small and medium-sized businesses.

The Impact on Organizations

The aggressive cyberattack stole emails from over 30,000 servers in the U.S. According to Bloomberg, however, the real number of affected businesses could be as high as 60,000. The alleged Chinese espionage hacking group successfully managed to exploit four flaws in Exchange, which allowed them full Remote Command Execution (RCE) to the affected systems.

Hafnium, the Chinese hacking group believed to be behind the attack, used a web of Virtual Private Servers in the U.S. to conceal its original location. In the past, the group has targeted businesses, defence contractors, researchers, and non-profit organizations.

Extent of Exploitation

The Microsoft Exchange hack is similar to the WannaCry Ransomware attack in 2017. Microsoft highlights that DearCry/DoejoCrypt, a ransomware variant, is exploiting the system bugs to set up ransomware on any vulnerable Exchange servers.

Technically, the deployment of China Chopper web shells on compromised Exchange servers has become a common attack strategy. So, if a batch file was successfully written to the infected ransomware servers, hackers would gain access to vulnerable systems.

Microsoft notes that the batch file conducts a SAM (Security Account Manager) database backup. Once the security system registry hives, hackers can access passwords of system users in the registry’s Local Security Authority portion, in turn allowing them to connect to the organization impersonating a valid user.

Released Patches

In April, Microsoft finally rolled out the release of its official security updates for business products. Since then, however, there have been many unscheduled releases to fix Exchange bugs. In fact, Microsoft views Exchange bugs as serious issues. Microsoft tackled 114 CVEs relating to Exchange out of which 19 were critical. Specifically, CVE-2021-28481 and CVE-2021-28480 were the two RCE that NSA reported.

Throughout the cybersecurity crisis, Microsoft collaborated with CISA (Cybersecurity & Infrastructure Security Agency), security companies, and other U.S. agencies to guide businesses on how to minimise the impact of the Exchange hack.

Final Thoughts

Although officials profess that the cybersecurity crisis is serious, businesses can still mitigate the damage through fixable patches. The silver lining is that Microsoft assures businesses that its cloud email system is not affected.