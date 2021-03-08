Microsoft server hack has victims hustling to stop intruders

FILE - In this Nov. 10, 2016, file photo, people walk past a Microsoft office in New York. China-based government hackers have exploited a bug in Microsoft's email server software to target U.S. organizations, the company said Tuesday, March 2, 2021. (AP Photo/Swayne B. Hall, File)
  • Oops!
    Something went wrong.
    Please try again later.
FRANK BAJAK, ERIC TUCKER and MATT O'BRIEN
·5 min read
  • Oops!
    Something went wrong.
    Please try again later.

BOSTON (AP) — Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.

The White House has called the hack an “active threat” and said senior national security officials were addressing it

The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers and manufacturers.

While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn't install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.

“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike.

He blames China for the global wave of infections that began Feb. 26, though other researchers say it's too early to confidently attribute them. It's a mystery how those hackers got wind of the initial breach because no one knew about this except a few researchers, Alperovitch said.

After the patch was released, a third wave of infections began, a piling on that typically occurs in such cases because Microsoft dominates the software market and offers a single point of attack.

Cybersecurity analysts trying to pull together a complete picture of the hack said their analyses concur with the figure of 30,000 U.S. victims published Friday by cybersecurity blogger Brian Krebs. Alperovitch said about 250,000 global victims has been estimated.

Microsoft has declined to say how many customers it believes are infected.

David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.

“Anybody that had Exchange installed was potentially vulnerable,” he said. “It’s not every single one but it’s a large percentage of them.”

Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, warned that installing patches won't be enough to protect those already infected. “If you patch today that is going to protect you going forward but if the adversaries are already in your system then you need to take care of that,” she said.

A smaller number of organizations were targeted in the initial intrusion by hackers who grabbed data, stole credentials or explored inside networks and left backdoors at universities, defense contractors, law firms and infectious-disease research centers, researchers said. Among those Kennedy has been working with are manufacturers worried about intellectual property theft, hospitals, financial institutions and managed service providers who host multiple company networks.

“On the scale of one to 10, this is a 20,” Kennedy said. “It was essentially a skeleton key to open up any company that had this Microsoft product installed.”

Asked for comment, the Chinese embassy in Washington pointed to remarks last week from Foreign Ministry spokesperson saying that China “firmly opposes and combats cyber attacks and cyber theft in all forms” and cautioning that attribution of cyberattacks should be based on evidence and not “groundless accusations.”

The hack did not affect the cloud-based Microsoft 365 email and collaboration systems favored by Fortune 500 companies and other organizations that can afford quality security. That highlights what some in the industry lament as two computing classes — the security “haves” and “have-nots.”

Ben Read, director of analysis at Mandiant, said the cybersecurity firm has not seen anyone leverage the hack for financial gain, “but for folks out there who are affected time is of the essence in terms of of patching this issue.”

That is easier said than done for many victims. Many have skeleton IT staff and can’t afford an emergency cybersecurity response — not to mention the complications of the pandemic.

Fixing the problem isn’t as simple as clicking an update button on a computer screen. It requires upgrading an organization’s entire so-called “Active Directory,” which catalogues email users and their respective privileges.

“Taking down your e-mail server is not something you do lightly,” said Alperovitch, who chairs the nonprofit Silverado Policy Accelerator think tank.

Tony Cole of Attivo Networks said the huge number of potential victims creates a perfect “smokescreen” for nation-state hackers to hide a much smaller list of intended targets by tying up already overstretched cybersecurity officials. “There’s not enough incident response teams to handle all of this.”

Many experts were surprised and perplexed at how groups rushed to infect server installations just ahead of Microsoft’s patch release. Kennedy, of TrustedSec, said it took Microsoft too long to get a patch out, though he does not think it should have notified people about it before the patch was ready.

Steven Adair of the cybersecurity firm Volexity, which alerted Microsoft to the initial intrusion, described a “mass, indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many different countries, (including) criminal actors.”

The Cybersecurity Infrastructure and Security Agency issued an urgent alert on the hack last Wednesday and National Security Advisor Jake Sullivan tweeted about it Thursday evening.

But the White House has yet to announce any specific initiative for responding.

___

Tucker reported from Washington and O'Brien reported from Providence, Rhode Island. AP writer Alan Suderman contributed from Richmond, Virginia.

Recommended Stories

  • Greta Thunberg says Biden isn’t doing ‘nearly enough’ on climate change

    The Biden administration must “treat the climate crisis like a crisis,” the Swedish activist says

  • Robert De Niro Thriller ‘Wash Me In The River’ Heads To U.S., UK, Germany, France, Aus/NZ, Japan, More

    Highland Film Group has secured multiple distribution deals for action-thriller Wash Me In The River, starring Robert De Niro, John Malkovich, Jack Huston, Quavo and Willa Fitzgerald. Randall Emmett (Midnight in the Switchgrass) directs from a script by Adam Taylor Barker and Chris Sivertson. Highland Film Group’s stand-alone distribution arm The Avenue will distribute in […]

  • Raiders hosting free-agent CB A.J. Bouye on a visit

    Raiders hosting free-agent CB A.J. Bouye on a visit

  • Blockchain firm Ripple to end partnership with MoneyGram

    They did not specify the reason behind the decision to terminate the agreement, but Ripple Chief Executive Officer Brad Garlinghouse said in a Twitter post https://twitter.com/bgarlinghouse/status/1369034531865563150 that the companies were committed to revisiting the partnership in future. Ripple bought a $30 million stake in MoneyGram in 2019, with the partnership initially set for two years. The deal allowed MoneyGram to use Ripple's product for cross-border payment and foreign exchange settlement.

  • VIRUS TODAY: Massachusetts nurses go on strike over staffing

    VACCINES: More than 60 million people, or 18.1% of the U.S. population, have received at least one dose of a coronavirus vaccine, according to the Centers for Disease Control and Prevention. Detroit schools stopped face-to-face learning in November because of rising COVID-19 infection rates in the city.

  • 'Active threat' after Microsoft hack -White House

    The White House on Sunday raised the alarm over a recent breach in Microsoft Outlook intrusions it says are linked to China.Spokeswoman Jen Psaki said companies should take it “very seriously.”“This is an active threat and as the national security advisor tweeted last night, everybody running these servers, government, private sector, academic, needs to act now to patch them.”CNN separately reported on Sunday that U.S. President Joe Biden was forming a task force to address the hack.A source told Reuters it's now believed more than 20,000 U.S. organizations had been affected including e-credit unions, town governments and small businesses.Major companies and federal agencies appeared to have been spared, according to initial findings.Microsoft has pointed the finger at hackers from China, but Beijing denies its involvement.The tech company released a patch last week to address flaws in Outlook, its email software, but the remedy can only defend against new hacking attempts.The White House National Security Council tweeted on Sunday, "Patching and mitigation is not remediation… it is essential that any organization with a vulnerable server take measures to determine if they were already targeted.”Neither the company nor the White House has specified the scale of the hack.Microsoft initially said it was limited, but the White House last week expressed concern about the potential for "a large number of victims."A Microsoft representative said it was working with the government to guide vulnerable clients, as more attacks are expected.

  • Myanmar coup: Party official dies in custody after security raids

    Activists say the worker for Aung San Suu Kyi's party was beaten after being arrested.

  • Calls to #AbolishTheMonarchy went viral after Prince Harry and Meghan Markle's Oprah interview

    Calls for the abolition of the British monarchy were made on social media following Prince Harry and Meghan Markle's interview with Oprah.

  • Megyn Kelly says Meghan Markle always claims to be a 'victim' after bombshell Oprah interview: 'Give me a break'

    "Everyone victimizes Meghan! Everyone! The palace! The press!" the former Fox News host, who was fired for making racist statements, said.

  • A new lab study shows troubling signs that Pfizer's and Moderna's COVID-19 shots could be far less effective against the variant first found in South Africa

    A mutation called E484K appeared to help the variant, first found in South Africa, to evade antibodies produced by the vaccines, the authors said.

  • How plans to slim down monarchy have spiralled into racism row

    For a monarch determined to slim down and modernise the Royal family for the 21st century, the Queen’s decision not to give her great-grandson Archie the title of prince made perfect sense. Following controversy over the roles and publicly funded privilege of minor members of The Firm, the Queen and the Prince of Wales had already decided to shift the focus to Her Majesty and just six others. What they could not have predicted was that two years later, the Duke and Duchess of Sussex would try to weave that perceived snub into a new narrative – one of racism at the heart of the House of Windsor. “They didn't want him to be a prince,” the Duchess told Oprah Winfrey, “which would be different from protocol ... we have in tandem the conversation of, ‘He won't be given security. He’s not going to be given a title.’ And also concerns and conversations about how dark his skin might be when he’s born.” Regardless of its veracity, Harry and Meghan’s claim that there were concerns about the colour of their baby’s skin has the power to do permanent damage to the royal brand. Irrespective of who made the alleged comment about Archie’s skin, the Duke and Duchess have put the Prince of Wales in the eye of the storm by claiming he ignored warnings of possible racist attacks on Archie when decisions were made about his security. A source close to the Sussexes said the couple had seen intelligence and security reports that suggested their son was at a heightened risk, partly because of his mixed race heritage. “Security was paramount to them,” the source said. “On that basis, as a couple, they wanted him to be a prince and that was made clear to the Royal family.”

  • Trump ‘greeted by single supporter’ as he returns to New York for first time since presidency

    Queens-born septuagenarian arrives back at former Fifth Avenue residence following four year absence

  • The Queen emerges unscathed as Meghan and Harry lavish praise on his grandmother

    The Duke and Duchess of Sussex unloaded on Prince Charles, The Duchess of Cambridge, and the tabloid press in their extraordinary tell-all with Oprah Winfrey. But despite the numerous allegations levelled at named and unnamed members of the Royal family, The Queen emerged unscathed, and instead received glowing praise from the couple. Meghan described how "everyone" welcomed her to the royal set-up initially, but singled out the Queen as making her particularly comfortable. In another sign of their positive relationship, the Duchess said: “I just pick up the phone and I call the Queen - just to check-in. Meghan said the Queen has "always been wonderful" to her and that she reminded the Duchess of her own grandmother. "She’s always been warm and inviting," the Duchess added. The Duchess shared a touching anecdote on how her future husband’s grandmother gave her "some beautiful pearl earrings and a matching necklace" for the couple's first joint engagement together, and that the monarch also shared her blanket while travelling together between visits. The pair attended a ceremony for the opening of the new Mersey Gateway Bridge, in Widnes, Cheshire in June 2018 and travelled north on the Royal train.

  • Looming China extradition deal worries Uighurs in Turkey

    Joining hundreds of women in Istanbul to protest at China's treatment of Uighurs, Nursiman Abdurasit tearfully thinks of her jailed mother in Xinjiang and fears that Uighurs like her in Turkey may one day be sent back under an extradition deal. Beijing approved an extradition treaty between the two nations in December and with the deal awaiting ratification by Ankara's parliament, activists among some 40,000 Uighurs living in Turkey have stepped up efforts to highlight their plight.

  • UK's Johnson steers clear of royal racism row after Meghan interview

    Prime Minister Boris Johnson avoided wading into the clash of British royals on Monday, praising the queen but sidestepping questions about racism and insensitivity at the palace after an interview by Prince Harry and his wife Meghan. The former Hollywood actress, whose mother is Black and father is white, accused the royal family of pushing her to the brink of suicide. In a tell-all television interview, she said someone in the royal household had raised questions about the colour of her son's skin.

  • Biden eyes trashing Trump-era rules that advocates feared would silence sexual assault survivors on college campuses

    The rules were unveiled by former Education Secretary Betsy DeVos in the final year of the Trump administration.

  • Prince Harry said he and Meghan Markle hadn't planned on signing streaming deals, but they needed the money for security

    Harry told Oprah he was financially cut off by the royals and that his family's security was taken away, so he signed deals with Netflix and Spotify.

  • U.S. Supreme Court dumps last of Trump's election appeals

    The U.S. Supreme Court on Monday disposed of the last of three cases brought to the justices by former President Donald Trump challenging his election loss, bringing a muted end to his futile quest in the courts to hold onto power. The court without comment rejected Trump's appeal challenging thousands of absentee ballots filed in Wisconsin, an election battleground that the Republican businessman-turned-politician lost to Democrat Joe Biden by more than 20,000 votes. Biden became president on Jan. 20.

  • Spring breakers spreading COVID-19 variants could 'spell disaster' for the country, expert warns

    A world-leading health expert has warned that spring breakers could increase the spread of highly-transmissible coronavirus variants across the US.

  • Kamala Harris to make U.N. debut as U.S. vice president at gender equality meeting

    Kamala Harris is due to make her United Nations debut as U.S. vice president next week when she addresses an annual United Nations meeting on the promotion of gender equality and the empowerment of women. Harris will speak at the virtual 65th Commission on the Status of Women on March 16, U.S. Ambassador to the United Nations Linda Thomas-Greenfield said on Monday, adding Washington would also join a U.N. "Group of Friends for the Elimination of Violence Against Women and Girls." Under former U.S. President Donald Trump's administration, the United States led a push at the United Nations against the promotion of women's sexual and reproductive rights and health because it sees that as code for abortion.