Security researchers reported at least 30,000 organizations across the US have been hacked over the past few days by an unusually aggressive Chinese cyber-espionage unit focused on stealing email. The researchers say that many of the organizations targeted in the act include small businesses, cities, and local governments. The group of hackers is exploiting four newly-discovered flaws in Microsoft Exchange Server email software.
The hackers have been able to seed hundreds of thousands of victim organizations worldwide with tools to allow the hackers complete remote control over affected systems. Microsoft is attempting to combat the hackers and, on March 2, released emergency security updates that plugged four security holes in Exchange Server versions 2013 through 2019 being actively exploited. In the days following those security patches, security experts say that the Chinese cyber-espionage group has stepped up attacks on any vulnerable and unpatched Exchange server worldwide.
In each incident, the hackers left behind a web shell, an easy use and password-protected tool that can be accessed over the Internet from any browser. That web shell can give the hackers administrative access to the victim’s computer. According to two unnamed cybersecurity experts who have been part of briefings with US national security advisers, the hackers have seized control over hundreds of thousands of Microsoft Exchange Servers globally.
The group has targeted email systems in various industry sectors ranging from infectious disease researchers to law firms, defense contractors, and others. The attack was first discovered by a company called Volexity. The company says even those who patched their Exchange Server the same day the patches were published have a high likelihood of having a web shell on the server. The researchers say any company running Exchange that hasn’t patched yet is likely already compromised.