On March 2, 2021, the US CISA issued an emergency order demanding rapid response to public institutions due to the problem of the Chinese government-affiliated hacker Hafnium exploiting the Microsoft groupware Exchange server vulnerability. On this issue, Microsoft is releasing tools to detect intrusions, but it doesn’t lead to a complete prevention of hacking, and experts point out that at least 30,000 organizations are already being hacked.
Microsoft announced on March 2 that it was under a zero-day attack on Exchange servers by Chinese government hackers. It is said to be related to a vulnerability related to ProxyLogon.
On this matter, CISA issued Emergency Order 21-02 on March 2. Among them, all organizations using Microsoft Exchange products and the private sector within the federal government were asked to disconnect their systems from the network until the Microsoft patch was applied.
The Microsoft patch that CISA requested to be applied by government agencies is a security update for Exchange Server that Microsoft urgently released on March 2. However, this program only mitigates or detects damage and does not completely prevent attacks. Microsoft’s Security Response Center MSRC stated that the countermeasures so far are only mitigation, and that it cannot be expected to improve the situation in which the Exchange server has already been infiltrated, or to fully protect it from attacks.
The White House also said at a press conference on March 5 that the Exchange server vulnerabilities are at risk of widespread impact.
There are reports that at least 30,000 organizations were hacked in the United States alone about the extent of the damage. A cybersecurity expert who requested anonymity said that a Chinese hacking group already controls hundreds of thousands of servers running Microsoft Exchange servers. Basically, one organization is running an Exchange server on one server, so even hundreds of thousands of affected organizations or organizations can reach them.
On March 6, Microsoft is releasing a tool to detect proxy logon intrusions, and CISA recommends using the tool. Related information can be found here.