The above decision was taken after an organization’s 30,000 or even more accounts across the United States including local governments to small businesses everything was hacked by an aggressive China-based cyber undercover unit.
They send emails with vulnerabilities through the Microsoft Exchange Server and made hundreds of thousands of organizations worldwide its victims. This tool provides total accessibility or remote control on the affected systems.
According to some sources, a China-based Hufnium group is targeting law firms, defense contractors, higher education institutes, NGOs, etc. with this tool through leading the United States-based virtual private servers.
This attack includes three steps -
- In the first step, it gains access to the Exchange Server either with the password that was stolen or through previously unknown vulnerabilities for disguising itself as someone who has the access.
- In the second step, it creates what is known as a web shell for controlling the compromised server through some remote location.
- In the third step, it uses the remote access that is run from the United States of America-based private sectors for stealing data from the network of an organization.
Here the web-shell is worth discussing. The web-shell are backdoor hacking tools that enable the attackers to come back to the machine as soon as it gets infected and have access as an administrator.
This type of hacking is a good example of a zero-day exploit that is one of the new vulnerabilities discovered in software. Such are quite common and they exist in most of the pieces of the software as soon as it is launched. However, it becomes dangerous when it is recognized by the wrong people.
The two main questions that may come to anyone’s mind after reason these are:
- How long does it take to patch?
- What is its impact?
Let us see the answers to these two questions:
How long does it take to patch?
The time is running. From the time the issue in the software is discovered and is disclosed and a patch is deployed for the same, how much of the data has been transferred to the hackers? This is one of the key questions that every underwriter of cybersecurity can ask. What is the patching cadence of an organization is another question? Or to put it more simply, does the company update its software within its network regularly. And if yes, then how frequently? Moreover, in case of issuance of an emergency security patch, what is the ability of the company to get that implemented across the network of the company.
If we see this closely, we will observe that it is not only the case wherein the 'install update' button is clicked and one can go on a coffee break. All the software systems of a company are interconnected in a way that a single change in a single system can leave a serious impact on other software that is running within the organization. Therefore, testing all the patches before deploying them into the organization's network is the key. In an active attack on a network, this period is critical.
So, if an organization reports the issue in the days instantly after it reported the hack, the criminals got shifted to high gear for gaining a foothold in as many organizations as possible before the deployment and installation of the patch.
What is its impact?
As per the statement of Microsoft, the patch doesn’t remove the hackers from the system that is infiltrated already. It gives some guidance to mitigate the impact until the deployment of the patch. Any organization impacted by this attack at Microsoft Exchange will need a few remediation efforts likely from IT forensic support or outside security. These costs generally fall in a cybersecurity insurance policy. But, beyond the initial expenses of the response that are incurred, how much more damage can an attacker cause with the administrative access in the system of a company. So, far it seems like there has not been any secondary attack on the affected organizations. Another question that arises here is - how does an attacker use the web-shells that are explained above has planted at all the places and what could it do?
For a different set of attackers, this is not uncommon to target all such vulnerabilities as soon as they are disclosed. We can imagine this with someone getting access to these web-shells and start an event of mass ransomware.
However, the affected organizations must:
- Deploy the emergency patch as soon as possible.
- Inform their cyber insurance provider for notifying their cyber insurance carrier about the security incident and
- Doing a thorough forensic review of IT for removing any kind of backdoors and web-shells installed in the network at the time of the attack.
The Final Words!
Once the patch is deployed, the exploit is not called a zero-day exploit. Even these attacks are not discovered instantly, and it often takes not just some days but months or sometimes even years before the developers learn about it.
We don't spam
Expert advice made easy
