The Federal Office for Information Security (BSI) warns of information technology security failures based on multiple vulnerabilities in different versions of the Microsoft Exchange server. In Germany alone tens of thousands of computers with group software can be attacked based on gaps in the Internet and the machine, which specializes in the Internet of Things, interprets power based on Shodan search statistics “with a high probability of being already infected with malware”.
More attacks with little effort
“Systems of all sizes are affected,” BSI writes. The office already has one Security alert has been issued. In view of the increased risk, it has begun to report directly to the victims. On Friday, the management of more than 9,000 medium-sized companies mailed and suggested counter measures. The company estimates that the actual number of vulnerable organizations in Germany is significantly higher.
BSI instructs all operators of affected transaction servers to immediately import security updates provided by Microsoft on Wednesday night. The vulnerabilities thus covered are currently “actively exploited by the attacking group” via remote access. “In addition, transfer servers have more rights to the directory that is inherently active in many infrastructures,” the office warns. It is, therefore, conceivable that further attacks on the rights of an acquired system could “reconcile the entire domain with little effort”.
Small and medium businesses often have security gaps
In the case of servers that are not yet connected, the PSI assumes that these are already acquired and controlled by criminal hackers. There is currently a high risk of attack due to the public availability of exploit codes for easy exploitation of vulnerabilities and “strong global scanning measures”. Therefore vulnerable transaction systems should also check for abnormalities in an emergency. The BSI Status Center is on duty around the clock Current information is available.
To make matters worse, according to the authority, thousands of organizations still have known gaps for more than a year, and yet they are not connected. This is the situation of small and medium enterprises. In addition to access to the email communications of the companies involved, attackers can often gain access to the entire enterprise network through such vulnerable servers.
The hacker group works for the Chinese government
The U.S. Cyber Security and Infrastructure Security Agency (CISA) was already on Wednesday Advised all federal organizations with emergency policyUse current connections for transfer. He justifies the use of this seldom-used tool with the unacceptable risk of inactivity because the vulnerabilities are largely exploited and the attackers gain “permanent computer access”.
Microsoft finds a hacking group called Hefnium behind the wave of attacks, which, according to the group, are “very likely” for the Chinese government and, above all, to spy on US targets. The attackers had already targeted health care inspectors, law firms, civil society organizations, educational institutions and security agencies.
Focus on email traffic
According to the Cancer on Security portal, there have been at least 30,000 organizations in the United States over the past few days Especially hacked by aggressive internet spy power. Many of these are medium-sized companies, but also include city and municipal administrations. The attackers are particularly interested in the email traffic of the facility.
In each case, the intruders leave a “web shell”, an easy-to-use, password-protected hacking tool that can access the Internet from any browser with administrator rights. According to cyber security experts, the group has already taken control of hundreds of thousands of exchange servers worldwide.
Foreign government spies
According to Microsoft, the first sign of a transfer vulnerability came from Virginia IT security company Volexity. Prior to Microsoft’s release of the updates, the company was working on dozens of cases in which web bombs were installed on target computers on February 28, according to its boss Steven Adair. Even if the holes are pasted on Wednesday, there is a high probability that the hacker software is already on the vulnerable server. Since the so-called Solarwinds hack, the new attacks represent the second case of a large-scale cyber campaign, behind which the United States looks to spy on foreign governments.