“Few targets with vulnerable servers were able to avoid the first automated cyberattacks that have been rampant for weeks.
If this is the case, they must play Loto, "cowardly, a little annoyed, Pascal Le Digol, France director of WatchGuard.
One of his clients, an SME with 50 workstations, has just suffered a ransomware-type offensive that crippled his entire computer system in ... six minutes.
After the hacking of the European Banking Authority's e-mail boxes, this is yet another example of the exploitation of the four "Proxylogon" security vulnerabilities that affect Microsoft's e-mail server software.
At the beginning of March, the global software giant had alerted its customers to the actions of a group called "Hafnium" which had been taking advantage for months - at least - of these unidentified "0-Day" flaws to visit the e-mail boxes of US companies and strategic organizations.
"Two of them are critical and allow you to launch server commands remotely without authentication, to take full control and access all e-mails", explains Grégory Cardiet, technical director at Vectra Networks, specialist. US real-time detection of cyberattacks.
The attackers are then able to siphon the content of the servers installed in a company or at a service provider through which all electronic exchanges pass.
"The problem is systemic because almost everyone uses Microsoft Exchange and the flaws affect all software versions since that of 2010", analyzes Vincent Hinderer, cyber threats expert at Orange Cyberdefense.
These top-flight hackers - Microsoft has pointed the finger at the Chinese secret service - have discovered a poorly locked door into which hackers of all levels have since rushed in to quickly get to work.
In the second week of March alone, attempts to take advantage of these flaws have increased tenfold, according to experts at Checkpoint, compared to the first week the information was publicly confirmed by Microsoft.
All the tools to carry out malicious operations were unfortunately already online.
Vulnerabilities that can be exploited by small hackers
"The most interesting flaw and its code, like the method to exploit it, were shared on Reddit then copied and redistributed everywhere, and the list of vulnerable servers is easily accessible in databases on the Internet", emphasizes Grégory Cardiet .
"All hackers, starting from the lowest, know how to create an automatic script that will probe the presence of vulnerabilities in servers, it is a flaw that hurts a lot", confirms Pascal Le Digol of WatchGuard Technologies.
Initially, the bleeding was severe: 400,000 Exchange servers around the world were vulnerable before the implementation of a corrective patch by Microsoft.
In France, the head of the National Information Systems Security Agency (Anssi), Guillaume Poupard, estimated from Les Échos that "15,000 servers were vulnerable" to massive hacking and insisted on the importance of making the security update.
Morning essentials newsletter
A tour of the news to start the day
Subscribe to the newsletterAll newsletters
"There was an unprecedented general mobilization to face the challenge and a large part of the park was fortunately protected, it was not the dreaded" Pearl Harbor "", tries to reassure Vincent Hinderer, of Orange Cyber defense
Earlier this week, Cybernews researchers assessed the number of servers still vulnerable, because they were unpatched, at 61,000 worldwide, including ... 3,389 Exchange servers exposed in France several weeks after the deployment of the Microsoft patch.
It is not enough to "patch"
“There are mainly entities that do not know which messaging system they are using or whose service provider has changed.
They simply do not have the technical capacity to apply the patch, ”notes Jérôme Soyer, technical director for Southern Europe at Varonis, a specialist in data protection.
And to alert: "And even if they manage to patch, the door remained open for an unknown time".
"The patch is not enough because some hackers have already started their intrusion attempts at the beginning of January and are already potentially in the servers and in the computer system, it would be necessary to clean up in depth", agrees Vincent Hinderer, of Orange Cyberdefense.
Even with the security patch, therefore, no one is immune.
READ ALSO>
Cyber attacks: the business of data resold on the Dark Web
Who are on the list of potential targets?
"Most large companies have already migrated to the Office 365 solution hosted in the" cloud "but this is not always the case for their subsidiaries or the SMEs and mid-caps that they have bought with their old structures" , recalls Arnaud Deschavanne, head of the Cybersecurity activity of Magellan Consulting.
"Local communities such as town halls or hospitals, which cannot legally store their e-mails in American servers, host their servers at home and are therefore potential victims".
In the forefront of the scenarios which give cold sweats to the experts: the villainous installations on the waiters.
For the past two weeks, attackers have been using this ProxyLogon security flaw on a massive scale to take control of a server and have installed a "cryptominer" like Lemon Duck, that is to say malware that hijacks the computing power of a machine to produce virtual currency, Monero in particular.
Ransomware threat ready to explode
Even more formidable, "spear-phishing", an ultra-precise phishing, seems to have a bright future in the coming months for cybercriminals who have already managed to get their hands on outgoing e-mail databases and incoming.
With a qualitative leap in scams: no longer need to promise a random target to win an iPhone or to make them click on a questionable link, attackers only have to take back the histories of an email conversation and pass off as the sender so that the trap closes on the prey.
"They are sitting on a gold mine because they have had access to all the e-mails and know all the context and who are the interlocutors partners of the hacked company, they can also attack them thanks to a rebound attack, ”predicts Adrien Gendre, co-founder of Vade Secure, a French specialist in malicious e-mail detection.
“As they have control of the server, they can also create rerouting rules in order to redirect e-mails to a hidden folder and intercept invoices or change bank details with complete discretion,” says the expert.
Likewise, hackers can dig through emails at will to acquire valuable usernames and passwords and spread through the computer system until triggering the coup de grace: the ransomware attack with data encryption and the extortion that goes with it.
It is this peeled grenade ready to explode that worries the cybersecurity community the most.
"Once they are properly installed, they can deploy the ransomware of their choice because they have increased their privileges to become the administrators of the system", analyzes Pascal Le Digol.
"They returned 4 days before on the victim's network and set off their bomb on Friday evening when no one was watching and faced them, at best, only a simple antivirus or a badly configured security solution", deplores- he does.
Members affiliated with the Russian-speaking cybergang REvil wereted no time in launching a big game hunting campaign.
According to Vitali Kremez, of the cyber intelligence platform Andariel, quoted by BleepingComputer, the hackers exploited the flaw to break into the Taiwanese computer manufacturer Acer, deploy their “cryptolocker” and siphon the data.
With the key to a staggering ransom demand of $ 50 million, according to information from Le Mag It.
This sword of Damocles on companies or public administrations will not disappear quickly, according to the various experts consulted.
"It will settle down a bit but in two to three months, the attacks will start again in companies and entities which have not properly monitored the event logs of their servers and missed the modification of certain parameters", worries Jérôme Soyer de Varonis.
"The different groups of attackers will come back one after the other on servers as long as they have not been patched or taken offline", anticipates Arnaud Deschavanne, whose firm has recorded an increase in requests to find traces intrusion and signs of compromise "in order to reassure yourself as much as possible".
"The attackers are so ingrained in the system that it is very complicated to clean everything down to the smallest detail, it's like an epidemic that will last for months or years, unless you start from a farm of clean servers and new ”, prophesies Pascal Le Digol.
Other attacker profiles also play the long-term card: "Hackers who are already in the system can afford to wait and remain silent for 4 to 5 years and proceed when they want to espionage. industrial or state-owned company on a strategic company and its 10,000 e-mail boxes ”warns Grégory Cardiet.
"They have already closed the door behind them anyway to prevent the competition from entering."
