WASHINGTON, March 10 (Reuters) – At least 10 different hacking groups are using recently discovered flaws in Microsoft Corp’s mail server software to break in to targets around the world, cybersecurity company ESET said in a blog post on Wednesday.
The breadth of the exploitation adds to the urgency of the warnings being issued by authorities in the United States and Europe about the weaknesses found in Microsoft‘s Exchange software.
The security holes in the widely used mail and calendaring solution leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or move elsewhere in the network. Tens of thousands of organizations have already been compromised, Reuters reported last week, and new victims are being made public daily.
Earlier on Wednesday, for example, Norway’s parliament announced data had been “extracted” in a breach linked to the Microsoft flaws. Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.
While Microsoft has issued fixes, the sluggish pace of many customers’ updates – which experts attribute in part to the complexity of Exchange’s architecture – means the field remains at least partially open to hackers of all stripes. The patches do not remove any back door access that has already been left on the machines.
In addition, some of the back doors left on compromised machines have passwords that are easily guessed, so that newcomers can take them over.
Microsoft declined comment on the pace of customers’ updates. In previous announcements pertaining to the flaws, the company has emphasized the importance of “patching all affected systems immediately.”
Although the hacking has appeared to be focused on cyber espionage, experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.
ESET’s blog post said there were already signs of cybercriminal exploitation, with one group that specializes in stealing computer resources to mine cryptocurrency breaking in to previously vulnerable Exchange servers to spread its malicious software.
ESET named nine other espionage-focused groups it said were taking advantage of the flaws to break in to targeted networks – several of which other researchers have tied to China. Microsoft has blamed the hack on China. The Chinese government denies any role.
Intriguingly, several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2.
Ben Read, a director with cybersecurity company FireEye Inc , said he could not confirm the exact details in the ESET post but said his company had also seen “multiple likely-China groups” using the Microsoft flaws in different waves.
ESET researcher Matthieu Faou said in an email it was “very uncommon” for so many different cyber espionage groups to have access to the same information before it is made public.
He speculated that either the information “somehow leaked” ahead of the Microsoft announcement or it was found by a third party that supplies vulnerability information to cyber spies.
Taiwan-based researchers reported to Microsoft on Jan. 5 that they had found two new flaws which need patching. Those two were among those that began being used by the attackers shortly before or after the friendly report.
They said were investigating whether there had been a theft or leak on their side, since exploitation was discovered in the wild the same week later. So far, the group called Devcore said, they had found no evidence.
Top-flight hackers are also commonly targeted by other hackers. Just this week, Microsoft patched one of the flaws used by suspected North Koreans in attempts to steal information from Western researchers.
But simultaneous discovery happens fairly often, in part because researchers use the same or similar tools to hunt for serious flaws, and many eyes are looking at the same high-value targets.
“It is very likely that some actor groups may have being using these vulnerabilities and led to the result of the attacks being observed by other information security vendors,” Devcore member Bowen Hsu told Reuters.
But the security industry has been abuzz with other theories, including a hack of Microsoft’s systems for tracking bugs, which has happened in the past.
Microsoft responded to a Chinese government hack that compromised more than 60,000 of its customers by expanding operations in the repressive regime.
Microsoft acknowledged on March 2 that Chinese “state-sponsored” hackers used vulnerabilities in Microsoft Exchange’s software to install malware and access the emails of thousands of victims. The tech company has nevertheless barreled forward in its Chinese business plan, announcing on March 4 that it will expand its cloud computing service Azure. The move is meant to “empower” Chinese citizens, who live in a country with some of the most heavily censored and monitored webspace in the world.
“Our intelligent, trustworthy, and neutral cloud platform has been empowering hundreds of thousands of developers, partners, and customers from both China and the world to achieve more with technical innovation and business transformation,” Alain Crozier, Microsoft’s head for the Greater China Region, said in a statement.
The Azure expansion is the latest sign that the Chinese hacking campaign has had little impact on Microsoft’s decades-long relationship with China. The U.S.-based tech company has outsourced a large portion of its research and development department to the authoritarian country, where it has had a presence since 1992. The company also partnered with a Chinese military university to conduct research into artificial intelligence.
Microsoft declined a request for comment.
The global cyber attack has claimed a number of high-profile victims, including the European Banking Authority and thousands of businesses. The Biden White House said the hackers remain an “active threat” and that companies should patch up their softwares as soon as possible. The Chinese government has so far denied responsibility for the hacking campaign.
The Azure expansion plan will build a new cluster of data centers in northern China, speeding up the cloud service for Chinese users in the region, according to a press release. The cloud service employs Chinese company 21Vianet as a local partner. As China’s leading data service provider, 21Vianet also conducts business with other Chinese tech companies such as Alibaba and Huawei, which U.S. officials say act as conduits for Chinese state espionage.
The Azure cloud computing service includes facial recognition software, a feature that might be attractive for authoritarian regimes. The company touts that “no machine learning expertise is required” to operate the program, which can search through a repository of up to one million people. Chinese authorities are increasingly using facial recognition to police their citizens, including the Muslim Uighurs in Xinjiang.
Microsoft has nurtured a close relationship with Chinese entities over the course of nearly three decades, counting more than 17,000 partners in the authoritarian country. Despite the pandemic, Microsoft has continued to recruit even more local business partners. In December, Microsoft said it partnered with Huawei’s spinoff company to build laptops in the country.
Microsoft also built its largest R&D base outside of the United States in China, employing more than 3,000 engineers and researchers located across four separate Chinese cities. The American company said its Chinese R&D division will contribute to China’s prosperity.
“Microsoft Asia-Pacific R&D Group’s teams are spread across the region … Located in tech parks and recognized hubs for innovation, these campuses are strategically positioned to take advantage of— and contribute to— China’s rapid transformation to an innovation economy,” the company said on its website.