[BreachExchange] More than 20, 000 U.S. organizations compromised through Microsoft flaw

[Destry Winant]

https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-idUSKBN2AX23U

WASHINGTON (Reuters) - More than 20,000 U.S. organizations have been
compromised through a back door installed via recently patched flaws
in Microsoft Corp’s email software, a person familiar with the U.S.
government’s response said on Friday.

The hacking has already reached more places than all of the tainted
code downloaded from SolarWinds Corp, the company at the heart of
another massive hacking spree uncovered in December.

The latest hack has left channels for remote access spread among
credit unions, town governments and small businesses, according to
records from the U.S. investigation.

Tens of thousands of organizations in Asia and Europe are also
affected, the records show.

The hacks are continuing despite emergency patches issued by Microsoft
on Tuesday.

Microsoft, which had initially said the hacks consisted of “limited
and targeted attacks,” declined to comment on the scale of the problem
on Friday but said it was working with government agencies and
security companies to provide help to customers.

It added, “impacted customers should contact our support teams for
additional help and resources.”

One scan of connected devices showed only 10% of those vulnerable had
installed the patches by Friday, though the number was rising.

Because installing the patch does not get rid of the back doors, U.S.
officials are racing to figure out how to notify all the victims and
guide them in their hunt.

All of those affected appear to run Web versions of email client
Outlook and host them on their own machines, instead of relying on
cloud providers. That may have spared many of the biggest companies
and federal government agencies, the records suggest.

The federal Cybersecurity and Infrastructure Security Agency did not
respond to a request for comment.

FILE PHOTO: A Microsoft logo is seen on an office building in New York
City on July 28, 2015. REUTERS/Mike Segar

Earlier on Friday, White House press secretary Jen Psaki told
reporters that the vulnerabilities found in Microsoft’s widely used
Exchange servers were “significant,” and “could have far-reaching
impacts.”

“We’re concerned that there are a large number of victims,” Psaki said.

Microsoft and the person working with the U.S. response blamed the
initial wave of attacks on a Chinese government-backed actor. A
Chinese government spokesman said the country was not behind the
intrusions.

What started as a controlled attack late last year against a few
classic espionage targets grew last month to a widespread campaign.
Security officials said that implied that unless China had changed
tactics, a second group may have become involved.

More attacks are expected from other hackers as the code used to take
control of the mail servers spreads.

The hackers have only used the back doors to re-enter and move around
the infected networks in a small percentage of cases, probably less
than 1 in 10, the person working with the government said.

“A couple hundred guys are exploiting them as fast as they can,”
stealing data and installing other ways to return later, he said.

The initial avenue of attack was discovered by prominent Taiwanese
cyber researcher Cheng-Da Tsai, who said he reported the flaw to
Microsoft in January. He said in a blog post that he was investigating
whether the information leaked.

He did not respond to requests for further comment.