The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned Wednesday that recently uncovered vulnerabilities in a Microsoft email application pose a “serious risk” to federal agencies and the private sector, noting that thousands of groups were at risk of being targeted by hackers.
The two agencies additionally assessed that both nation-state actors and cyber criminals were exploiting the previously unknown vulnerabilities on Microsoft Exchange Server, which were reported publicly by Microsoft last week.
“The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies,” the two agencies wrote in a joint alert released Wednesday.
“Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.”
The agencies warned that the ongoing cybersecurity incident had “the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors.”
In addition, both agencies assessed that the hackers involved would “continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.”
The groups targeted by the hackers — which Microsoft originally said were part of a Chinese state-sponsored group known as “Hafnium” — were non-governmental organizations along with private businesses in the agriculture, biotechnology, aerospace, defense, legal service, power utilities and pharmaceutical sectors, according to the agencies.
While the FBI and CISA did not formally attribute the massive cyber incident to China, they wrote that the hacking “was consistent with previous targeting activity by Chinese cyber actors.”
The alert was put out as the Biden administration works to respond to the overall breach. The Wall Street Journal reported earlier this week the breach may have compromised as many as 250,000 organizations.
Acting CISA Director Brandon Wales testified to the House Appropriations Committee’s homeland security panel on Wednesday that his agency was seeing “widespread” exploitation of the Microsoft Exchange Server vulnerabilities against both U.S. and global groups.
CISA put out an emergency directive last week ordering federal agencies investigate for signs of compromise, and if found to immediately patch their systems.
Eric Goldstein, the executive assistant director of Cybersecurity at CISA, testified Wednesday that no federal agency had been confirmed as compromised as of Wednesday, but stressed that the investigation was in its early stages.
“At this point in time, there are no federal civilian agencies that are confirmed to have been compromised,” Goldstein told the same House subcommittee. “This is an evolving campaign with information coming in by the hour.”
The FBI separately tweeted Wednesday that it is “investigating this malicious activity, leveraging our specially trained #cyber squads. Sharing information with us can help us collect and share intelligence and engage with victims while working to unmask—and hold accountable—cybercriminals.”