Why did it take so long for Microsoft to respond? I have been getting updates, including I assume patches, from Microsoft once a week since the beginning of the year. ' Zero day', means there were existing potentially dangerous bugs at shipment, ready to use. And apparently known for some time to Microsoft.
Microsoft Exchange Server Attack Escalation Prompts Patching Panic By Kelly Sheridan 3/8/2021 in DarkReading
US government officials weigh in on the attacks and malicious activity, which researchers believe may be the work of multiple groups.
The critical Exchange Server vulnerabilities patched last week by Microsoft are being weaponized in widespread attacks against organizations worldwide. Attacks have escalated over the past two weeks, prompting responses from US government and the security community.
News of the four vulnerabilities emerged on March 2, when Microsoft issued patches for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These flaws affect Microsoft Exchange Server versions 2013, 2016, and 2019, though the company notes Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes. Exchange Online is not affected.
Microsoft, which learned of these vulnerabilities in early January, initially reported they were being exploited in "limited and targeted attacks" by Hafnium, a group it believes is state-sponsored and operates out of China. Officials said this was the only actor it had seen weaponizing these exploits, which it used to primarily target organizations in the US.
But other security experts say there are likely multiple threat groups behind the wave of malicious activity going after Exchange Servers.
This activity accelerated toward the end of February, when Volexity researchers who found some of the zero-days noticed an increase in instances of remote code execution (RCE). In all cases, attackers were writing Web shells to disk and doing operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems.
What had previously been "low and slow" activity had quickly escalated into a lot of noise.
"While it started out as targeted espionage campaign, they engaged in reckless and dangerous behavior by scanning/compromising Exchange servers across the entire IPv4 address space with webshells that can now be used by other actors, including ransomware crews," Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and cofounder of CrowdStrike, said in a tweet. ... "
No comments:
Post a Comment