Computer systems in Canada were among those impacted by a massive hack of Microsoft’s Exchange email service earlier this month, the Canadian Centre for Cyber Security (CCCS) said on Tuesday.
In an update posted to the agency’s website, the CCCS said a new family of ransomware, known as DearCry, is being “leveraged by actors exploiting the recently disclosed Exchange vulnerabilities.”
According to CCCS, in addition to DearCry, “multiple proofs of concepts leveraging the Exchange vulnerabilities resulting in remote code execution have been made publicly available.”
“These vulnerabilities are being leveraged to gain a foothold within an organization’s network for malicious activity which includes but is not limited to ransomware and the exfiltration of data,” the update read.
The CCCS said some systems within Canada have been “further compromised with malware.”
“All organizations are encouraged to refer to the updated Indicators of Compromise and Mitigation sections of this Alert for additional detection, mitigation and post-compromise guidance.”
In an email to Global News Tuesday evening, the CCCS said its Cyber Centre “does not comment on reporting by Canadian organizations or individuals regarding cyber incidents.”
“As a result, we do not have any further information to add on potential victims and/or targets,” the email read.
In a blog post earlier this month, Microsoft corporate vice president Tom Burt, announced the company had discovered serious vulnerabilities in its Exchange software.
The company identified Hafnuim as the threat actor behind the attack.
“Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor,” the blog post read.
Burt said while Hafnuim is based in China, it “conducts its operations primarily from leased virtual private servers (VPS) in the United States.”
Recently, he said, Hafnium has engaged in a number of attacks “using previously unknown exploits tageting on-premises Exchange Server Software.”
According to Burt, the hackers gain access to an Exchange Server using stolen passwords or by disguising as someone who should have access.
Next, he said, “it would create what’s called a web shell to control the compromised server remotely.”
“Third, it would use that remote access — run from the U.S.-based private servers — to steal data from an organization’s network,” he wrote.
Microsoft released security update “patches” for multiple versions of Exchange, including for older, out of date versions of the server.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” the blog post read. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”
However, Burt said “promptly applying” the patches “is the best protection against this attack.”
A ‘crazy huge hack’
Speaking at a press conference on March 5, White House Press Secretary Jen Psaki said the cyberattack could have “far-reaching impacts.”
“We are concerned there are a large number of victims, and are working with our partners to understand the scope of this, so it’s an ongoing process,” she told reporters.
“Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps,” Psaki said.
A source familiar with the U.S. government’s response told Reuters on Friday that more than 20,000 U.S., organizations have been compromised in the breach.
In a series of tweets last week, Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), called the attack a “crazy huge hack.”
Krebs said first, if you think you’ve been impacted, you should patch “if you haven’t already.”
Next, he said to look for activity, and hire a team to “help, disconnect & rebuild.”