黑客攻击微软电邮,全球数千家企业被困网中
鉴于微软公司(Microsoft Corp.)商业电子邮件软件的应用之广泛,一场针对该应用系统的精准攻击正在演变为全球网络安全危机,黑客们竞相在各企业做出应对前扩大战果。
微软方面称,这场攻击始于一个黑客组织。据一名知情的前美国高级官员称,迄今全球至少有6万已知受害者。在微软力图阻止攻击的同时,很多中小企业被困在了黑客撒下的漫天大网中。
欧洲银行管理局(European Banking Authority)成了最新受害者。该机构在3月7日表示,入侵者可能已经通过保存在微软服务器上的邮件获取了个人数据。总部位于马里兰州埃利科特市的安全监控公司Huntress在3月5日的一篇博客文章中透露,截至目前为止,已经确认受到波及的机构包括银行、电力供应商、养老院和一家冰淇淋公司。
一家不愿意透露名称的美国网络安全公司称,仅该公司的专家就已经接触了至少50名受害者,试图尽快确定黑客已经获取的数据,并将其剔除。
此次迅速升级的攻击距上次SolarWinds公司被可能来自俄罗斯的网络攻击者入侵仅隔数月。新黑客快速展开大规模攻击的能力引发了美国国家安全官员的担忧。研究人员称,在此次攻击的最后阶段,入侵者似乎已经将攻击过程自动化,短短几天内,全球就新增了数万受害者。
华盛顿方面的反应
《纽约时报》(New York Times)援引一名不愿意透露姓名的官员的话说,华盛顿方面准备在未来三周内对外国入侵采取首次重大报复行动。报道称,美国计划在实施经济制裁的同时,对俄罗斯网络展开一系列秘密行动,意在向弗拉基米尔·普金及其情报部门释放信号。乔·拜登总统可能会发布一项行政命令,以支持联邦机构抵御俄罗斯的黑客攻击。
一名白宫官员在3月6日的电子邮件中写道:“我们正在采取一系列政府应对措施,以评估和解决其影响。此次威胁仍未解除,我们敦促各网络运营商认真对待。”
Volexity的负责人史蒂文·阿代尔介绍,数月来,这个黑客组织似乎一直在通过微软的电子邮件软件Exchange侵入私人和政府电脑网络,但最初只针对少数目标。这家总部设在弗吉尼亚北部的网络安全公司帮助微软找出了黑客利用的漏洞。3月9日,微软已经针对这些漏洞发布了补丁。
这是近期的第二次网络安全危机事件。就在数月前,疑似俄罗斯黑客通过篡改IT管理软件制造商SolarWinds公司(SolarWinds LLC)的更新程序,侵入了9个联邦机构和至少100家公司。负责维护全球计算机系统的网络安全专家疲于应对,愈发沮丧。
黑客组织
“正义的一方应接不暇。”位于加州米尔皮塔斯的网络安全公司FireEye的高级副总裁查尔斯·卡马卡说。
最近的这起事件与SolarWinds攻击事件凸显出现代网络的脆弱性,以及政府支持的黑客在识别隐秘漏洞或制造漏洞以实施间谍活动方面的高超手段。他们还会发动复杂的网络攻击,先感染大量计算机,随后集中精力、缩小攻击范围。受影响的机构可能需花费数周或数月才能够恢复。
如果攻击者利用了微软的漏洞,单纯依靠该公司提供的更新并不可以将其从网络中清除。卡马卡建议,应该对受影响的系统进行全面检查。白宫方面也对此再三强调,并通过美国国家安全委员会(National Security Council)的账号发推文,敦促越来越多的受害者仔细检查自己的电脑,寻找攻击者的蛛丝马迹。
阿代尔说,黑客最初似乎针对的是具有高情报价值的美方目标,但大约一周前,一切都变了。其他身份不明的黑客组织开始在短时间内攻击数千受害者,并埋下隐秘软件为日后入侵留下后门。
阿代尔认为,有可能是其他黑客组织发现了同样的漏洞,并自行发起攻击,也有可能是黑客想漫天撒网,而后找出有价值的情报。
总之,攻击迅速,战果辉煌,黑客似乎找到了将该过程自动化的方法。“如果你在使用Exchange服务器,很可能已经成了受害者。”阿代尔说。
不过,从其他安全公司的数据来看,此次攻击的最终影响可能不会太严重。Huntress的研究人员检查了其合作伙伴网络上的约3000台易受攻击的服务器,发现其中约350台感染了病毒,比例略高于10%。
虽然攻击SolarWinds的黑客侵入了各种规模不一的组织,但最新一批受害者大多是中小型企业和地方政府机构。受影响最大的组织使用的电子邮件服务器多半运行着易受攻击的软件,并且直接暴露在互联网上,而大型机构通常会避免这种风险较高的做法。
南加州网络安全监控机构Milton Security Group Inc.的创始人吉姆·麦克默里表示,小企业“因为疫情而停工,已然陷入困境,此次更是雪上加霜”。“我通过与一些客户的合作了解到,追踪、清理病毒,并确保不受到再次攻击,需要花费大量时间。”
麦克默里认为这个问题“非常糟糕”,但同时补充说,“该漏洞能够打补丁修复”,因此应该可以在一定程度上降低损害。
微软表示,使用云邮件系统的用户不会受影响。
有专家指出,自动发起复杂攻击的技术或标志着网络安全已经进入一个更可怕的新时代,令有限的防御资源不堪重负。
网络安全顾问亚历克斯·斯塔莫斯说,最初的一些感染似乎是通过自动扫描和安装恶意软件实现的。黑客会借由这些感染体展开下一步行动,窃取存档邮件等数据,然后从中寻找有价值的信息。调查人员将全力追踪病毒。
“如果我是那些黑客,我会不加区别地尽快下载邮件,然后再慢慢淘宝。”斯塔莫斯说道。(财富中文网)
译者:胡萌琦
鉴于微软公司(Microsoft Corp.)商业电子邮件软件的应用之广泛,一场针对该应用系统的精准攻击正在演变为全球网络安全危机,黑客们竞相在各企业做出应对前扩大战果。
微软方面称,这场攻击始于一个黑客组织。据一名知情的前美国高级官员称,迄今全球至少有6万已知受害者。在微软力图阻止攻击的同时,很多中小企业被困在了黑客撒下的漫天大网中。
欧洲银行管理局(European Banking Authority)成了最新受害者。该机构在3月7日表示,入侵者可能已经通过保存在微软服务器上的邮件获取了个人数据。总部位于马里兰州埃利科特市的安全监控公司Huntress在3月5日的一篇博客文章中透露,截至目前为止,已经确认受到波及的机构包括银行、电力供应商、养老院和一家冰淇淋公司。
一家不愿意透露名称的美国网络安全公司称,仅该公司的专家就已经接触了至少50名受害者,试图尽快确定黑客已经获取的数据,并将其剔除。
此次迅速升级的攻击距上次SolarWinds公司被可能来自俄罗斯的网络攻击者入侵仅隔数月。新黑客快速展开大规模攻击的能力引发了美国国家安全官员的担忧。研究人员称,在此次攻击的最后阶段,入侵者似乎已经将攻击过程自动化,短短几天内,全球就新增了数万受害者。
华盛顿方面的反应
《纽约时报》(New York Times)援引一名不愿意透露姓名的官员的话说,华盛顿方面准备在未来三周内对外国入侵采取首次重大报复行动。报道称,美国计划在实施经济制裁的同时,对俄罗斯网络展开一系列秘密行动,意在向弗拉基米尔·普金及其情报部门释放信号。乔·拜登总统可能会发布一项行政命令,以支持联邦机构抵御俄罗斯的黑客攻击。
一名白宫官员在3月6日的电子邮件中写道:“我们正在采取一系列政府应对措施,以评估和解决其影响。此次威胁仍未解除,我们敦促各网络运营商认真对待。”
Volexity的负责人史蒂文·阿代尔介绍,数月来,这个黑客组织似乎一直在通过微软的电子邮件软件Exchange侵入私人和政府电脑网络,但最初只针对少数目标。这家总部设在弗吉尼亚北部的网络安全公司帮助微软找出了黑客利用的漏洞。3月9日,微软已经针对这些漏洞发布了补丁。
这是近期的第二次网络安全危机事件。就在数月前,疑似俄罗斯黑客通过篡改IT管理软件制造商SolarWinds公司(SolarWinds LLC)的更新程序,侵入了9个联邦机构和至少100家公司。负责维护全球计算机系统的网络安全专家疲于应对,愈发沮丧。
黑客组织
“正义的一方应接不暇。”位于加州米尔皮塔斯的网络安全公司FireEye的高级副总裁查尔斯·卡马卡说。
最近的这起事件与SolarWinds攻击事件凸显出现代网络的脆弱性,以及政府支持的黑客在识别隐秘漏洞或制造漏洞以实施间谍活动方面的高超手段。他们还会发动复杂的网络攻击,先感染大量计算机,随后集中精力、缩小攻击范围。受影响的机构可能需花费数周或数月才能够恢复。
如果攻击者利用了微软的漏洞,单纯依靠该公司提供的更新并不可以将其从网络中清除。卡马卡建议,应该对受影响的系统进行全面检查。白宫方面也对此再三强调,并通过美国国家安全委员会(National Security Council)的账号发推文,敦促越来越多的受害者仔细检查自己的电脑,寻找攻击者的蛛丝马迹。
阿代尔说,黑客最初似乎针对的是具有高情报价值的美方目标,但大约一周前,一切都变了。其他身份不明的黑客组织开始在短时间内攻击数千受害者,并埋下隐秘软件为日后入侵留下后门。
阿代尔认为,有可能是其他黑客组织发现了同样的漏洞,并自行发起攻击,也有可能是黑客想漫天撒网,而后找出有价值的情报。
总之,攻击迅速,战果辉煌,黑客似乎找到了将该过程自动化的方法。“如果你在使用Exchange服务器,很可能已经成了受害者。”阿代尔说。
不过,从其他安全公司的数据来看,此次攻击的最终影响可能不会太严重。Huntress的研究人员检查了其合作伙伴网络上的约3000台易受攻击的服务器,发现其中约350台感染了病毒,比例略高于10%。
虽然攻击SolarWinds的黑客侵入了各种规模不一的组织,但最新一批受害者大多是中小型企业和地方政府机构。受影响最大的组织使用的电子邮件服务器多半运行着易受攻击的软件,并且直接暴露在互联网上,而大型机构通常会避免这种风险较高的做法。
南加州网络安全监控机构Milton Security Group Inc.的创始人吉姆·麦克默里表示,小企业“因为疫情而停工,已然陷入困境,此次更是雪上加霜”。“我通过与一些客户的合作了解到,追踪、清理病毒,并确保不受到再次攻击,需要花费大量时间。”
麦克默里认为这个问题“非常糟糕”,但同时补充说,“该漏洞能够打补丁修复”,因此应该可以在一定程度上降低损害。
微软表示,使用云邮件系统的用户不会受影响。
有专家指出,自动发起复杂攻击的技术或标志着网络安全已经进入一个更可怕的新时代,令有限的防御资源不堪重负。
网络安全顾问亚历克斯·斯塔莫斯说,最初的一些感染似乎是通过自动扫描和安装恶意软件实现的。黑客会借由这些感染体展开下一步行动,窃取存档邮件等数据,然后从中寻找有价值的信息。调查人员将全力追踪病毒。
“如果我是那些黑客,我会不加区别地尽快下载邮件,然后再慢慢淘宝。”斯塔莫斯说道。(财富中文网)
译者:胡萌琦
A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.
The attack, which Microsoft has said started with a hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
The European Banking Authority became one of the latest victims as it said on March 7 that access to personal data through emails held on the Microsoft server may have been compromised. Others identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a Ellicott City, Maryland-based firm that monitors the security of customers, in a blog post on March 5.
One U.S. cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.
The rapidly escalating attack came months after the SolarWinds Corp. breaches by suspected Russian cyberattackers, and drew the concern of U.S. national security officials in part because the latest hackers were able to hit so many victims so quickly. Researchers say in the final phases of the attack, the perpetrators appeared to have automated the process, scooping up tens of thousands of new victims around the world in a matter of days.
Washington responds
Washington is preparing its first major moves in retaliation against foreign intrusions over the next three weeks, the New York Times reported, citing unidentified officials. It plans a series of clandestine actions across Russian networks -- intended to send a message to Vladimir Putin and his intelligence services -- combined with economic sanctions. President Joe Biden could issue an executive order to shore up federal agencies against Russian hacking, the newspaper reported.
“We are undertaking a whole of government response to assess and address the impact,” a White House official wrote in an email on March 6. “This is an active threat still developing and we urge network operators to take it very seriously.”
The hacking group, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially targeting only a small number of victims, according to Steven Adair, head of the northern Virginia-based Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix on March 9.
The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC. Cybersecurity experts that defend the world’s computer systems expressed a growing sense of frustration and exhaustion.
Hafnium
The good guys are getting tired,” said Charles Carmakal, a senior vice president at FireEye Inc., the Milpitas, California-based cybersecurity company.
Both the most recent incident and the SolarWinds attack show the fragility of modern networks and sophistication of state-sponsored hackers to identify hard-to-find vulnerabilities or even create them to conduct espionage. They also involve complex cyberattacks, with an initial blast radius of large numbers of computers which is then narrowed as the attackers focus their efforts, which can take affected organizations weeks or months to resolve.
In the case of the Microsoft bugs, simply applying the company-provided updates won’t remove the attackers from a network. A review of affected systems is required, Carmakal said. And the White House emphasized the same thing, including tweets from the National Security Council urging the growing list of victims to carefully comb through their computers for signs of the attackers.
Initially, the hackers appeared to be targeting high value intelligence targets in the U.S., Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.
Adair said that other hacking groups may have found the same flaws and began their own attacks -- or that hackers may have wanted to capture as many victims as possible, then sort out which had intelligence value.
Either way, the attacks were so successful -- and so rapid -- that the hackers appear to have found a way to automate the process. “If you are running an Exchange server, you most likely are a victim,” he said.
Data from other security companies suggest that the scope of the attacks may not end up being quite that bad. Researchers from Huntress examined about 3,000 vulnerable servers on its partners’ networks and found about 350 infections -- or just over 10%.
While the SolarWinds hackers infected organizations of all sizes, many of the latest batch of victims are small-to medium-sized business and local government agencies. Organizations that could be most impacted are those that have an email server that’s running the vulnerable software and exposed directly to the internet, a risky setup that larger ones usually avoid.
Smaller organizations are “struggling already due to Covid shutdowns -- this exacerbates an already bad situation,” said Jim McMurry, founder of Milton Security Group Inc., a cybersecurity monitoring service in Southern California. “I know from working with a few customers that this is consuming a great deal of time to track down, clean and ensure they were not affected outside of the initial attack vector.”
McMurry said the issue is “very bad” but added that the damage should be mitigated somewhat by the fact that “this was patchable, it was fixable.”
Microsoft said customers that use its cloud-based email system are not affected.
The use of automation to launch very sophisticated attacks may mark a new, frightening era in cybersecurity, one that could overwhelm the limited resources of defenders, several experts said.
Some of the initial infections appear to have been the result of automated scanning and installation of malware, said Alex Stamos, a cybersecurity consultant. Investigators will be looking for infections that led to hackers taking the next step and stealing data -- such as e-mail archives -– and searching them for any valuable information later, he said.
“If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” Stamos said.
