30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

Red Falcon

[H]ard DCOTM December 2023
Joined
May 7, 2007
Messages
12,381
If any of you are in charge of Microsoft Exchange servers, you might want to get them patched immediately.

30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
chriskrebstweet.png
 
You lost me at "OWA Exposed to the internet" , is this 2008 ?
Intranets are still a thing, and no, it is 1978. ;)
Was actually thinking of getting a MicroVAX, and running inter-agency email would be quite fun for 1981.
 
Intranets are still a thing, and no, it is 1978. ;)

Major different between intranet OWA and Exposing it to the world.
and if you don't know your shit , just bring outside consulting or switch to a cloud mail service like Exchange Online.
 
Major different between intranet OWA and Exposing it to the world.
and if you don't know your shit , just bring outside consulting or switch to a cloud mail service like Exchange Online.

The people making the decisions often grossly underestimate the costs and risk of a data breach. Especially if it's a smaller company that's operating on a shoestring budget.

I think it's getting better though, with people becoming more aware as more breaches happen. Unfortunately, us humans tend to prefer to learn the hard way rather than the easy way.
 
I’ve been checking mine, it finding any breach but I’m convinced it’s because I’m not looking hard enough. Mine was all patched not too far before those dates and the OWA portal was somewhat secured but I’m still looking.
 
One of the biggest mistakes we've made as a country is to not treat these breaches as acts of war. An Iranian in a fishing boat comes within 5 miles of an oil tanker and it's front page news, with air strikes a few days later. China breaches 30,000+ US organizations and no one cares. No one is even willing to fart in China's general direction.

I'm guessing the reason it's not an act of war is because the war is already over, and we've already lost.
 
One of the biggest mistakes we've made as a country is to not treat these breaches as acts of war. An Iranian in a fishing boat comes within 5 miles of an oil tanker and it's front page news, with air strikes a few days later. China breaches 30,000+ US organizations and no one cares. No one is even willing to fart in China's general direction.

I'm guessing the reason it's not an act of war is because the war is already over, and we've already lost.

I actually think the biggest reason is because we do the same, and certainly would not want to be retaliated against in the same way.
 
One of the biggest mistakes we've made as a country is to not treat these breaches as acts of war. An Iranian in a fishing boat comes within 5 miles of an oil tanker and it's front page news, with air strikes a few days later. China breaches 30,000+ US organizations and no one cares. No one is even willing to fart in China's general direction.

I'm guessing the reason it's not an act of war is because the war is already over, and we've already lost.
Attribution in cybersecurity is very difficult. They can make extremely educated guesses - but it's not as cut and dry as a boat with the bad guy's flag on it.
 
Attribution in cybersecurity is very difficult. They can make extremely educated guesses - but it's not as cut and dry as a boat with the bad guy's flag on it.

That's why the flood-gates are open I suppose. They know we aren't willing to retaliate, so they have nothing to fear. We might not know the exact person responsible, but we clearly know that it's from China. That should be enough IMO.
 
switch to Linux.
Sadly there really isn’t a Linux equivalent to Exchange, sure there are email hosts out there, but nobody running Exchange is just running Exchange. Exchange is just a middle of the stack component for the entire office workflow.
 

Microsoft Attack Blamed On China Morphs Into Global Crisis

The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
 
If we were this confused about how to react to proxy warfare during the Cold War, the Soviets could have just paid a "terrorist organization" to conduct a Nuclear first strike and we would have never retaliated. Apparently we are no longer capable of holding a country responsible for it's actions unless they unilaterally hold a press-conference and take complete responsibility first.
 
You lost me at "OWA Exposed to the internet" , is this 2008 ?
I assume most major businesses and corporations support OWA access from the internet. I know the Dept. of Defense and all US military branches do at least, with 2FA of course.
 
Well this isn't great.
Scripts running on our servers and seeing possible evidence of the compromise
Well thats this week fucked. New exchange servers here we come
Or if I can get them to spring for E-Online it would be great. Sick of my On prem exchange servers
 
Well this isn't great.
Scripts running on our servers and seeing possible evidence of the compromise
Well thats this week fucked. New exchange servers here we come
Or if I can get them to spring for E-Online it would be great. Sick of my On prem exchange servers
Yeah, we don't have anyone running on-prem Exchange anymore.
 
Wow I am so glad we migrated or Exchange server to O365 even though it sucked to migrate :) Hopefully MS patches 365 as soon as this stuff gets caught.
 
Wow I am so glad we migrated or Exchange server to O365 even though it sucked to migrate :) Hopefully MS patches 365 as soon as this stuff gets caught.
Fortunately, it involves the hackers having access to a series of management portals that Microsoft does not have public for O365, it really only affects standalone and hybrid systems that haven't followed proper access guidelines. Don't have your ECP portal publicly accessible, yeah the exploit does affect OWA to a lesser extent but they can't do much damage there, I am just super glad I managed to use this as a way to sell admin on 2-factor authentication for all A5 users.
 
Back
Top