Microsoft warns multiple groups hacking clients’ email servers
Researchers fear that cyber criminals could exacerbate an initial hacking campaign attributed to a state-sponsored group in China.
Microsoft has warned that “multiple actors” are attacking its clients’ email servers following a global hacking campaign which it last week attributed to a China-based state-sponsored group.
Last week government security authorities amplified Microsoft’s urgent call for customers running on-premise Exchange servers to apply the patch, and the company is now warning that there are multiple groups taking advantage of unpatched systems.
After compromising email servers belonging to these organisations, Microsoft said the attackers created web shells – interfaces which allow them to remotely access the compromised network even after the original vulnerabilities were patched – which is provoking additional concern.
Because the campaign was so broad, not all of the compromised servers are operated by organisations that would typically be of interest to cyber spies
But experts are concerned that if criminals were to piggyback on those spies’ access then they could cause significant collateral damage.
Dmitri Alperovitch, the co-founder and former chief technology officer of cyber security firm Crowdstrike, warned that financially-motivated criminals could access these webshells and potentially deploy ransomware.
This in my view deserves a significant response by the Biden Administration, especially if we start seeing, as expected, damaging ransomware attacks against American companies this week 4/4
“Because this campaign is still ongoing – Chinese have webshells on tens of thousands of networks – the response must demand immediate shutdown of those implants to limit damage, not just signal our displeasure with the fact that it had occurred. Needs to happen now,” he added.
The UK’s National Cyber Security Centre said it is working to establish the extent of the campaign’s impact on the country.
One cyber security professional told Sky News their business had seen a number of clients in the UK compromised by the campaign, many of whom they would not have expected to be a typical target for Beijing, suggesting the attackers would have a subsequent triage stage to select specific victims.
The Washington Post reported that the “indiscriminate nature” of the campaign has caused concern among officials, and that the Biden administration was moving to address the incident – although no actions have yet been announced.