The highest levels of the U.S. government are concerned and alarmed due to the newly discovered flaws in Microsoft Corp.’s software for email, which sees the government urging users to apply patches immediately.
Significant numbers of small businesses and local governments are among the 30,000 affected organizations across the U.S. They have been hacked via holes in Microsoft’s email software in the last few days allegedly by Chinese attackers who are focused on stealing email from victims, the blog KrebsonSecurity reported Friday.
“This is a significant vulnerability that could have far-reaching impacts,” said Jen Psaki, the White House press secretary, speaking at a briefing, according to Bloomberg. “We are concerned there are a large number of victims.” She characterized the incident as an “active threat.”
Psaki’s remark comes after Microsoft’s revelation on Tuesday that China-based nation-state hackers were exploiting flaws in on-premise versions of the software, which were previously unknown, and released patches for them. The following day, the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, issued an emergency directive in response to “observed active exploitation of these products.” As a result of this, civilian agencies and departments were directed to apply the patches or look for compromises and disconnect Microsoft Exchange from their networks.
Over the course of this week, Government concern over the flaws continued to build, with CISA releasing an alert on Thursday, stating that it was aware of hackers using tools to search for servers that hadn’t yet been patched. That evening, National Security Advisor Jake Sullivan wrote on Twitter that the U.S. is “closely tracking Microsoft’s emergency patch.” He cited “reports of potential compromises of U.S. think tanks and defense industrial base entities.”
No specified target or timing of the hacking remains known. Defense Department spokesman John Kirby said the Pentagon (a metonym for the Department of Defense and its leadership) assesses its systems based on Microsoft’s advisory. The cybersecurity firm FireEye Inc. found that victims included “U.S.-based retailers, local governments, a university, and an engineering firm.” According to Allan Liska, an analyst at the firm Recorded Future Inc, the version of exchange targeted by hackers has been found out to be typically run by small businesses, putting them at special risk.
A Microsoft representative said the company isn’t aware of attacks before vulnerabilities were disclosed to the company in early January.
Volexity, a cybersecurity firm, reported finding attacks leveraging the flaws that date back to as early as 6th January. However, CISA urged operators to look for compromises dating back to September, “out of an abundance of caution,” according to a spokesperson.
