Ongoing & enormous Microsoft Exchange server hack hits 30,000 US groups

The Hafnium hacking group in China has allegedly hacked at least 30,000 organizations in the United States using Microsoft Exchange Server, with the group said to have increased its activity in the wake of the hack's initial reports.

On Wednesday, Microsoft disclosed evidence that "Hafnium," a Chinese hacking group, was attacking servers in the United States and around the world using Microsoft Exchange Server. Microsoft also released emergency security patches to plug four security holes affecting Exchange Server version 2013 to 2019, which were used by the group.

By Saturday, hints of the extent of the hacking spree indicated it was wide-ranging and major in scale.

According to a source of Reuters on Friday, the attack had affected more than 20,000 US organizations. However, two anonymous cybersecurity experts who briefed US national security advisors on the attack told KrebsOnSecurity the number is far higher, in excess of 30,000 organizations.

Furthermore, despite the release of patches, the experts claim the group have stepped up their attacks, in a bid to gain access to unpatched Exchange servers. On a global scale, the attack is said to have affected "hundreds of thousands" of servers.

While unconfirmed, it appears that the mass hack is at a larger scale than that of SolarWinds. It is believed more than 18,000 organizations could have been affected by that network management software hack.

Even in the event organizations applied the patch, there is a chance they may still be affected. As part of the hack, the group leaves a "web shell" installed, a hacking tool accessible from a browser that provides administrative access to servers.

Organizations that apply the patches can prevent the hack from occurring, but the web shell could still be present on the system if they were hacked previously.

It is claimed victims still running the web shell include thousands of U.S. entities, including financial institutions, charities and non-profits, and the operations of emergency services.

"Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server," said security firm Volexity president Steven Adair. "The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised."

The scale of the hacks has led to the US Cybersecurity & Infrastructure Security Agency (CISA) to issue an emergency directive ordering federal departments and agencies to update their Microsoft Exchange servers or take the servers offline. White House press secretary has also warned the vulnerabilities "could have far-reaching impacts, with a fear there could be a "large number of victims."