Canadian systems compromised by malware in the Microsoft Exchange breach: officials

Click to play video: 'Top cybersecurity agency warns of major Microsoft hack'
Top cybersecurity agency warns of major Microsoft hack
WATCH ABOVE: The Canadian Centre for Cyber Security (CCCS) is warning about ransomware, called DearCry, targeting Microsoft's Exchange email service. The hack is extensive, and Abigail Bimman explains why it's unclear if Canadian organizations were impacted – Mar 17, 2021

Computer systems in Canada were among those impacted by a massive hack of Microsoft’s Exchange email service earlier this month, the Canadian Centre for Cyber Security (CCCS) said on Tuesday.

In an update posted to the agency’s website, the CCCS said a new family of ransomware, known as DearCry, is being “leveraged by actors exploiting the recently disclosed Exchange vulnerabilities.”

According to CCCS, in addition to DearCry, “multiple proofs of concepts leveraging the Exchange vulnerabilities resulting in remote code execution have been made publicly available.”

“These vulnerabilities are being leveraged to gain a foothold within an organization’s network for malicious activity which includes but is not limited to ransomware and the exfiltration of data,” the update read.

Story continues below advertisement

The CCCS said some systems within Canada have been “further compromised with malware.”

“All organizations are encouraged to refer to the updated Indicators of Compromise and Mitigation sections of this Alert for additional detection, mitigation and post-compromise guidance.”

In an email to Global News Tuesday evening, the CCCS said its Cyber Centre  “does not comment on reporting by Canadian organizations or individuals regarding cyber incidents.”

“As a result, we do not have any further information to add on potential victims and/or targets,” the email read.

In a blog post earlier this month, Microsoft corporate vice president Tom Burt, announced the company had discovered serious vulnerabilities in its Exchange software.

Click to play video: 'White House warns of ‘large number of victims’ following Microsoft email hack'
White House warns of ‘large number of victims’ following Microsoft email hack

The company identified Hafnuim as the threat actor behind the attack.

Story continues below advertisement

“Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor,” the blog post read.

Burt said while Hafnuim is based in China, it “conducts its operations primarily from leased virtual private servers (VPS) in the United States.”

Recently, he said, Hafnium has engaged in a number of attacks “using previously unknown exploits tageting on-premises Exchange Server Software.”

According to Burt, the hackers gain access to an Exchange Server using stolen passwords or by disguising as someone who should have access.

Next, he said, “it would create what’s called a web shell to control the compromised server remotely.”

“Third, it would use that remote access — run from the U.S.-based private servers — to steal data from an organization’s network,” he wrote.

Click to play video: 'FireEye CEO says SolarWinds hack was found after security staff noticed issue with employee account'
FireEye CEO says SolarWinds hack was found after security staff noticed issue with employee account

Microsoft released security update “patches” for multiple versions of Exchange, including for older, out of date versions of the server.

Story continues below advertisement

“We strongly encourage all Exchange Server customers to apply these updates immediately,” the blog post read. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”

However, Burt said “promptly applying” the patches “is the best protection against this attack.”

A ‘crazy huge hack’

Speaking at a press conference on March 5, White House Press Secretary Jen Psaki said the cyberattack could have “far-reaching impacts.”

“We are concerned there are a large number of victims, and are working with our partners to understand the scope of this, so it’s an ongoing process,” she told reporters.

“Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps,” Psaki said.

A source familiar with the U.S. government’s response told Reuters on Friday that more than 20,000 U.S., organizations have been compromised in the breach.

In a series of tweets last week, Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), called the attack a “crazy huge hack.”

Story continues below advertisement

Krebs said first, if you think you’ve been impacted, you should patch “if you haven’t already.”

Next, he said to look for activity, and hire a team to “help, disconnect & rebuild.”

Sponsored content