In its blog post on critical Exchange Server patches Tuesday, Microsoft pointed to “limited and targeted” exploitation of three vulnerabilities in the wild.
But new data suggests that the breaches may not be limited or targeted at all.
“We took a sample of about 2,000 or so of our partners’ [servers]. We saw 400 that are vulnerable, an extra 100 that are potentially vulnerable and 200 and growing that were compromised,” said John Hammond, a senior security researcher at Huntress, which focuses on security solutions for small and medium businesses.
“From everything that we can see, it seems that the threat actors are scanning the whole internet, looking for whatever happens to be vulnerable and going after that low-hanging fruit wherever they can find it,” he said.
Though the number of breached servers is continually rising, Huntress is keeping track of findings on its website.
Microsoft attributed the exploit of a chain of four vulnerabilities to a state-sponsored Chinese group it calls Hafnium. In response to the Huntress findings, Microsoft reiterated its overarching point from yesterday’s announcements: that network defenders urgently need to update their servers.
On Wednesday, the Cybersecurity and Infrastructure Security Agency issued a binding directive to federal agencies to begin investigating and mitigating exposure to the Hafnium campaign.
Hammond says Huntress noticed a number of interesting attributes when going through compromised servers. Several had multiple versions of China Chopper, a web shell commonly associated with Chinese threat groups.
“It is so peculiar to see multiple web shells when only one really would be needed. Does that indicate that this is one disorganized actor or multiple uncoordinated actors? An automated attack? We’re scratching our heads,” he said.
Hammond also noted that the servers he looked at ran security stacks encompassing multiple vendors’ antivirus and endpoint detection and response software.
The findings from Huntress call into question Microsoft’s claim Wednesday that the breaches were “limited and targeted,” Hammond argued, considering how frequently exploited servers were identified.
“Some might read that Microsoft article and think ‘hey this is very limited in scope,’ he said. “Maybe they might shrug it off and say, ‘hey, I’m a mom and pop shop. No hacker is going to come hack me.’ That is a bad mentality.”