Only a few months after what Microsoft called the biggest hack in recent history, Microsoft’s own software now seems to contain a gigantic and actively exploited vulnerability.
It concerns a vulnerability in Microsoft Exchange, writes Reuters. Attackers have managed to install a backdoor via the vulnerability on computers where the software was installed. A patch for the vulnerability has been published, but this does not solve a possibly installed backdoor. Moreover, not all users have installed the patch yet. Microsoft has also published a script with which administrators can check whether the vulnerability applies to their systems.
Tens of thousands of organisations affected
Reuters speaks of 20,000 American companies that may have been affected by this leak, including credit unions, city councils and SMEs. Tens of thousands of organisations in Asia and Europe have also been affected. These are organisations that had web versions of Outlook running on their own machines.
According to both Microsoft and the US government, China is behind the attack. It is not clear what these suspicions are based on. A spokesperson for the Chinese government denies any involvement in the hack. In a blog post, Microsoft has given the attack the name Hafnium. The company says that it does not see any link between Hafnium and the attacks on SolarWinds.
Possibly two groups involved
The attack started last year as a specific attack on some usual targets for espionage. However, the vulnerability has been exploited much more widely in the past month. Security officials see two explanations for this: either the original attackers have changed their tactics, or a second group is involved.
The Reuters source says that the hackers use the backdoor to re-enter infected networks, presumably in less than a tenth of the affected networks. There they steal data and install new ways to break in again later.
Good samaritan with SolarWinds now the focus of a new hack
It is striking that Microsoft software, in particular, is used for such a significant attack. Microsoft recently published a tool with which companies can check whether their systems have been affected by the attackers behind the SolarWinds hack.
In the announcement of that hack, the company boasted about its own security policy. It wrote that it always checks final versions of software for malicious modifications before rolling them out to servers and customers. Now, the vulnerability in Exchange was not the result of a break-in by an external party, but rather a programming error within Microsoft, but the timing can certainly be called ironic.