Over 100,000 organizations around the globe have been hacked via Microsoft email servers. A “web shell” backdoor gave the hackers total remote control allowing them to read all email, and infiltrate other machines. Industry engineers are rushing to identify, and alert victims to prevent from further destructions. The largest problem – many still do not know they have been targeted.
KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. They also revealed that the same source who shared those numbers say the victim list continues to grow quickly, with many victims compromised by multiple cybercrime groups.
Experts now warn and anticipate “Stage 2” which will allow hackers to revisit the hacked servers and seed them with ransomware or other malicious tools sinking even deeper into victim networks.
Rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems
“What we thought was Stage 2 actually was one criminal group hijacking like 10,000 exchange servers,” said one source who’s briefed U.S. national security advisors on the outbreak.
“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.
Read more about this event here
HAVE I BEEN HACKED?
Nixon is part of a group of security industry leaders who are contributing data and time to a new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).
“We set up this site to aid victim notification based on lists of compromised Exchange servers with Outlook Web Access (OWA) enabled, which were obtained from perpetrators of this mass breach event. This includes affected IPs/domains, as well as whether the actors in this first wave of attacks successfully loaded a shell. The problem of notifying such a large number of victims is compounded by the lack of legal framework or even available WHOIS data to determine the identity of the owner of an IP or domain to notify them of a serious problem on their property. This website stands as an imperfect approach to a global problem.”
You can use the OWA tool to find out if you appear on the targeted list of hacked accounts.
PREVENTING THE ATTACK
Proliferation of data to private and public clouds is a rising data protection challenge. OffsiteDataSync’s Veeam-Powered cloud backup solution for Office 365 reduces risk and addresses unrecognized dangers through simple, secure and effective protection for critical corporate Outlook, SharePoint, and OneDrive data. You can learn more about Cloud backup for Outlook, Sharepoint, and OneDrive here.