Huge Fallout from Microsoft Incompetence: Let’s Exchange Exchange

If you thought last week’s news was bad, you ain’t seen nothin’ yet. Countless organizations using Microsoft Exchange are scrambling to undo the damage caused by Chinese “Hafnium” hackers over the past two months. And many more don’t even know they’ve been penetrated.

It’s all Microsoft’s fault. Let’s not sugar-coat it: Microsoft knew about this vulnerability more than two months ago, yet didn’t tell anyone, for fear of … what? Damaging shareholder returns?

Microsoft should be ashamed of itself. In today’s SB Blogwatch, we watch Redmond reap the whirlwind.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Death to email.

Nuclear Option: Drop Microsoft Email

What’s the craic? Jeff Mason reports—“White House cites ‘active threat,’ urges action despite Microsoft patch”:

 The White House on Sunday urged computer network operators to take further steps to gauge whether their systems were targeted amid a hack of Microsoft [Exchange] email program, saying a recent software patch still left serious vulnerabilities. … While Microsoft released a patch last week [it] still leaves open a … back door that can allow access to compromised servers and perpetuating further attacks by others.

“Patching and mitigation is not remediation if the servers have already been compromised. … We urge network operators to take it very seriously,” a White House official said.

A source [said] more than 20,000 U.S. organizations had been compromised by the hack, which Microsoft has blamed on China, although Beijing denies any role. … Neither the company nor the White House has specified the scale of the hack. Microsoft initially said it was limited, but the White House [mentioned] “a large number of victims.”

Twenty thousand? Make that thirty. Brian Krebs cycles up the panic—“At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email”:

 In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. … “It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source. … Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.

Two cybersecurity experts who’ve briefed U.S. national security advisors on the attack [said] the Chinese hacking group … has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide.

[But] a Microsoft spokesperson said … “The best protection is to apply updates as soon as possible across all impacted systems.”

Way to miss the point, Microsoft. As your humble blogwatcher previously said—“At Best, Microsoft is Incompetent”:

 This has been going on since January 6—probably earlier. Why on Earth did Microsoft wait eight weeks to tell anyone? What’s it been up to all this time?

Was Microsoft asleep at the switch? With a zero-day being actively exploited, you’d think Microsoft could suggest a mitigation or two.

What has Microsoft been doing for almost two months? [It’s] a damning indictment.

In case you missed it, innocent_white_lamb flogs the dead horse:

 Anyone who figures they’ve installed the patch and it’s now fixed, that’s not the case.

The patch still leaves an open back door. … That’s the most important line in [Jeff Mason’s] article.

Ah, Microsoft Exchange: Rupert Goodwins waxes lyrically, calling it a “torture garden”:

 It is the monster which corrupts all it touches. It is an energy-sucking vampire that thrives on the pain it promote.

To say it is a picky, bad-tempered master when it works is one thing, but picking up the pieces after it’s spat out its cogs is quite another. … And Microsoft, the nominal owner and controller of Exchange, is itself damaged by its creation. If battling with monsters turns you into a monster, what does marketing them do?

This security hole is atrocious. Before the patches … there was no defence. … What raises this from bad not just to very bad but to very very bad, is that this isn’t the first pre-authentication remote code execution vulnerability in Microsoft’s history. … Once you’ve found your first Grade A face-reddener of an open door vulnerability, surely it’s worth looking for more?

After the patches comes not relief, but the hunt for evidence of compromise. [Microsoft is] going to gather in the opprobrium it deserves for foisting so much pain on us.

This is looking uglier and uglier. Respect Deputy Cartman’s authority:

 This is why I got so frustrated with my last contractor job at an American defense company. … Emailing people for weeks on end asking to patch their servers, receiving no response, or dead email addresses … and hundreds of servers just piling up falling farther and farther behind in patching but.

God only knows what’s going on over there right now. My heart weeps for all the people there whom upper management are going to throw under a steamroller, Who-Framed-Roger-Rabbit-style, instead of addressing the cultural rot and bureaucratic morass.

Microsoft has at least done something right—eventually. EvilSpock strokes his goatee:

 I support a few Exchange servers. … Microsoft have actually published some good tools to help assess and resolve any problems including an nmap script to scan servers. … It will look for shells, IoCs in the logs and dumps of the lsass.exe process on the server (the scariest part of breach).

But smug Exchange admin afidel is sitting pretty—because they didn’t trust Microsoft:

 The answer to this attack was to not have [Exchange] exposed to the general internet. We did that through pre-authentication using AAA on the reverse proxy.

The exception, rather than the rule, I bet? So does Ken Moorhouse:

 Unfortunately, “Nobody got fired for buying Microsoft products,” trickles right down to companies with a handful of employees, and they install Exchange Server to handle their email. They struggle to configure it and leave it at the stage where it limps along, keeping their fingers crossed nothing goes awry.

[How about] throwing in the towel and migrating to some kind of hosted solution? … IT people now have the perfect excuse to recommend [that] to their superiors.

Meanwhile, Zylon quips thuswise:

 This is why the Internet can’t have nice things.

And Finally:

Death to all email (not just Exchange)

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: U.S. Department of Defense (public domain)

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 233 posts and counting.See all posts by richi