GCHQ urges British businesses to review cyber security following hack attack
Following a suspected China hack, the UK’s National Cyber Security Centre, a part of GCHQ the GCHQ has issued an urgent warning to businesses to update their Microsoft email servers and reboot immediately.
Multiple organizations are exploiting a global and indiscriminate hack of Microsoft’s clients’ on-premise email servers, according to Microsoft, which traces the attack to a state-sponsored organization located in China, with tens of thousands of possible victims worldwide.
The National Cyber Security Centre (NCSC) has highlighted the urgent need for companies to patch their insecure Microsoft Exchange servers, despite concerns that the attackers’ sloppy tactics could encourage hackers to piggyback on victims’ networks.
According to the department, the bug compromised between 7,000 and 8,000 computers, with just half of them having been fixed. The NCSC has contacted 2,300 companies to alert them to the Exchange security threat.
Officials estimate there are up to 8,000 compromised Microsoft servers in the private sector in the world, but only about half of them have been patched. Microsoft’s immediate appeal for consumers operating on-premise Exchange servers to apply the fix was amplified by government security officials last week, and the organization is now reporting that several organizations are exploiting unpatched networks.
The state-sponsored organization “primarily targets organizations in the United States through a range of business industries, including infectious disease analysts, law firms, higher education agencies, defence contractors, policy think tanks, and NGOs,” according to Microsoft’s initial alert.
Following the breach of these organizations’ email servers, Microsoft reports that the attackers developed web shells – interfaces that enable them to remotely access the infected network even though the original bugs have been fixed – causing further concern.
Security authorities have identified 2,300 webshells in UK firms, but more could go unreported.
“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” says The NCSC’s director for operations, Paul Chichester.
“Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC,” he adds.
The NCSC told the businesses that hackers had installed malware known as web shells on their servers, which could be used to gain access to systems and steal data.
The appearance of a web shell on a computer, though, does not indicate that files have been stolen. Businesses who are aware of site shells could uninstall the malicious malware without causing a data breach.
Earlier this month, Microsoft disclosed that a group of Chinese state-backed hackers had been leveraging a loophole in its Exchange email program for months, helping them to intercept emails from organizations all over the world.
On Friday, the NCSC issued new guidelines advising companies to upgrade their IT processes in order to eliminate the possibility of hackers obtaining access to content.
The Exchange hack may have an effect on up to 50,000 organizations worldwide, according to reports.
Experts also cautioned that government-backed hacker organisations have been attempting to manipulate the bug, while criminal organizations have also been attempting to steal information for potential future ransom attempts.
As part of the flaw, the Norwegian parliament declared that it had been compromised, calling it a “assault on our democracy.” The full extent of the Exchange hack’s influence in the United Kingdom and Europe is unknown.