Cybersecurity experts briefed government investigators that at least 30,000 Microsoft Exchange Servers have been breached using a chain of vulnerabilities Microsoft patched on Tuesday.
The reports, published by independent reporter Brian Krebs and later by Wired's Andy Greenberg, would confirm a trend SC Media reported earlier in the week, that security investigators were finding substantially more instances of Microsoft Exchange servers that had been breached than Microsoft's original report of "limited and targeted" attacks may have let on.
In that story, published only a day after Microsoft's announcement, John Hammond of cybersecurity vendor Huntress shared with SC Media data that would indicate a far more extensive victim pool.
“We took a sample of about 2,000 or so of our partners’ [servers]. We saw 400 that are vulnerable, an extra 100 that are potentially vulnerable and 200 and growing that were compromised,” he said, later adding: “From everything that we can see, it seems that the threat actors are scanning the whole internet, looking for whatever happens to be vulnerable and going after that low-hanging fruit wherever they can find it."
Microsoft attributed the Exchange Server hacking operation to Chinese state-sponsored actors they dubbed Hafnium. The researchers who spoke to Brian Krebs claimed as many as 100,000 servers may have been breached.
Hammond noted that the breaches appeared to be so untargeted that several servers appeared to host more than one version of the "China Chopper" webshell, an indication Hafnium breached the same server more than once. That would suggest either tactics leveraging automation or simple disorganization on the part of attackers.
"It is so peculiar to see multiple web shells when only one really would be needed," he said.
Homeland Security, Microsoft, and White House spokesperson Jen Psaki in a Friday news conference has emphasized how critical it is to patch.
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem,” said Microsoft in its initial announcement.