The allegedly Chinese hacking group that has been exploiting the vulnerabilities discovered in Microsoft’s Exchange servers could be wide-ranging, U.S. officials say.
According to Reuters, the White House is taking an active role in the investigation into the zero-day vulnerabilities discovered in Exchange Server that target on-premise versions and enable access to email accounts and additional malware to facilitate long-term access to targeted networks.
“We’re concerned that there’re a large number of victims,” White House Press Secretary Jen Psaki said Friday.
Psaki’s comments came a day after U.S. security officials and cybersecurity firms heightened the call to action, including urgent calls for network administrators to patch the vulnerabilities by applying updates released by Microsoft earlier this week.
White House National Security Advisor Jake Sullivan said in a tweet that the White House is closely tracking the story and tweeted a link to the Cybersecurity & Infrastructure Agency’s alert detailing the attacks.
We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities. We encourage network owners to patch ASAP: https://t.co/Q2K4DYWQud
— Jake Sullivan (@JakeSullivan46) March 5, 2021
The same day, FireEye published a blog detailing its knowledge of the attacks, which it said began in January when the firm observed “multiple instances of abuse” of Microsoft Exchange server at one client.
The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server’s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.
That squares with Microsoft’s analysis of the exploits, which it published in a blog Tuesday.
According to FireEye, the firm built threat hunting campaigns to identifyy additional Exchange Server abuse and utilized the data to build higher-fidelity detections of web server process chains.
Victims have yet to be publicly identified, but FireEYe says it has identified several, including U.S.-based retailers, local governments, a university and an engineering firm.
According to Microsoft, other targets included U.S.-based defense companies, law firms, infections disease researchers and think tanks.
As we’ve seen with the SolarWinds compromise, more and more details of this activity from this threat actor will emerge every day. Take the advice of every cybersecurity expert speaking on this and update Microsoft Exchange Server immediately.