Microsoft patches email hack
Authorities are responding to a cyber attack on a weakness in Microsoft’s enterprise email software.
Thousands of major businesses around the world have been exposed in the Microsoft Outlook hack.
Microsoft claims that the state-sponsored Chinese hacking group HAFNIUM has exploited security flaws to hack machines running Microsoft Exchange; the software that allows businesses to store email on their own machines, to be accessed through the Microsoft Outlook web app.
Experts say any organisation that has an Exchange server connected to the internet should assume it was compromised.
True attribution is almost impossible in sophisticated cyber attacks, but Microsoft claims that the “observed victimology, tactics and procedures” of the attack suggest it was the Chinese group.
The tech giant alleges that Chinese cybercriminals targeted its software in order to monitor or steal email communications. It says the intruders may also have installed additional spying tools on affected computers.
The Chinese foreign ministry says that the nation “firmly opposes and combats cyber attacks and cyber theft in all forms.”
Microsoft initially claimed the attack was limited to US government agencies and businesses, but this was inaccurate. The Australian Cyber Security Centre (ACSC) has now advised Australian businesses to immediately install the latest security updates.
Cybersecurity firm Sophos has warned that the updates are just a first step, but will not necessarily remove the danger.
This is because the hackers were able to insert “web shells” into compromised systems, allowing them to continue accessing systems even after they have been updated.
“If the web shell was placed there before a device was patched, and then the patch was applied, the file would still exist and it could still be used. Patching only prohibits the initial vulnerability being used again,” Sophos senior director of managed threat response Mat Gangwer says.
“The nature of this latest attack was to infect as many devices as possible before organisations caught up with the patch. We have observed this impacting organisations in many different regions. There is no reason to believe that Australia was impacted any less than other countries.”
Microsoft has created a software tool for administrators to check their machines and locate any web shells.
Mr Gangwer said finding and removing these web shells is an important step for affected businesses, but they also need to manually assess any damage.
“Each organisation needs to begin looking to see if they were impacted by a web shell, which can be determined via reviewing logs. If a web shell is discovered, you then need to assess if any further access was gained,” he said.
“[Web shells allow attackers] to issue any command the attacker desires on the victim device. This is why they pose such a risk, because it gives the attacker access to a very important and critical system.”