鑒于微軟公司(Microsoft Corp.)商業(yè)電子郵件軟件的應(yīng)用之廣泛,一場(chǎng)針對(duì)該應(yīng)用系統(tǒng)的精準(zhǔn)攻擊正在演變?yōu)槿蚓W(wǎng)絡(luò)安全危機(jī),黑客們競(jìng)相在各企業(yè)做出應(yīng)對(duì)前擴(kuò)大戰(zhàn)果。
微軟方面稱,這場(chǎng)攻擊始于一個(gè)黑客組織。據(jù)一名知情的前美國(guó)高級(jí)官員稱,迄今全球至少有6萬(wàn)已知受害者。在微軟力圖阻止攻擊的同時(shí),很多中小企業(yè)被困在了黑客撒下的漫天大網(wǎng)中。
歐洲銀行管理局(European Banking Authority)成了最新受害者。該機(jī)構(gòu)在3月7日表示,入侵者可能已經(jīng)通過(guò)保存在微軟服務(wù)器上的郵件獲取了個(gè)人數(shù)據(jù)??偛课挥隈R里蘭州埃利科特市的安全監(jiān)控公司Huntress在3月5日的一篇博客文章中透露,截至目前為止,已經(jīng)確認(rèn)受到波及的機(jī)構(gòu)包括銀行、電力供應(yīng)商、養(yǎng)老院和一家冰淇淋公司。
一家不愿意透露名稱的美國(guó)網(wǎng)絡(luò)安全公司稱,僅該公司的專家就已經(jīng)接觸了至少50名受害者,試圖盡快確定黑客已經(jīng)獲取的數(shù)據(jù),并將其剔除。
此次迅速升級(jí)的攻擊距上次SolarWinds公司被可能來(lái)自俄羅斯的網(wǎng)絡(luò)攻擊者入侵僅隔數(shù)月。新黑客快速展開大規(guī)模攻擊的能力引發(fā)了美國(guó)國(guó)家安全官員的擔(dān)憂。研究人員稱,在此次攻擊的最后階段,入侵者似乎已經(jīng)將攻擊過(guò)程自動(dòng)化,短短幾天內(nèi),全球就新增了數(shù)萬(wàn)受害者。
華盛頓方面的反應(yīng)
《紐約時(shí)報(bào)》(New York Times)援引一名不愿意透露姓名的官員的話說(shuō),華盛頓方面準(zhǔn)備在未來(lái)三周內(nèi)對(duì)外國(guó)入侵采取首次重大報(bào)復(fù)行動(dòng)。報(bào)道稱,美國(guó)計(jì)劃在實(shí)施經(jīng)濟(jì)制裁的同時(shí),對(duì)俄羅斯網(wǎng)絡(luò)展開一系列秘密行動(dòng),意在向弗拉基米爾·普金及其情報(bào)部門釋放信號(hào)。喬·拜登總統(tǒng)可能會(huì)發(fā)布一項(xiàng)行政命令,以支持聯(lián)邦機(jī)構(gòu)抵御俄羅斯的黑客攻擊。
一名白宮官員在3月6日的電子郵件中寫道:“我們正在采取一系列政府應(yīng)對(duì)措施,以評(píng)估和解決其影響。此次威脅仍未解除,我們敦促各網(wǎng)絡(luò)運(yùn)營(yíng)商認(rèn)真對(duì)待?!?/p>
Volexity的負(fù)責(zé)人史蒂文·阿代爾介紹,數(shù)月來(lái),這個(gè)黑客組織似乎一直在通過(guò)微軟的電子郵件軟件Exchange侵入私人和政府電腦網(wǎng)絡(luò),但最初只針對(duì)少數(shù)目標(biāo)。這家總部設(shè)在弗吉尼亞北部的網(wǎng)絡(luò)安全公司幫助微軟找出了黑客利用的漏洞。3月9日,微軟已經(jīng)針對(duì)這些漏洞發(fā)布了補(bǔ)丁。
這是近期的第二次網(wǎng)絡(luò)安全危機(jī)事件。就在數(shù)月前,疑似俄羅斯黑客通過(guò)篡改IT管理軟件制造商SolarWinds公司(SolarWinds LLC)的更新程序,侵入了9個(gè)聯(lián)邦機(jī)構(gòu)和至少100家公司。負(fù)責(zé)維護(hù)全球計(jì)算機(jī)系統(tǒng)的網(wǎng)絡(luò)安全專家疲于應(yīng)對(duì),愈發(fā)沮喪。
黑客組織
“正義的一方應(yīng)接不暇?!蔽挥诩又菝谞柶に沟木W(wǎng)絡(luò)安全公司FireEye的高級(jí)副總裁查爾斯·卡馬卡說(shuō)。
最近的這起事件與SolarWinds攻擊事件凸顯出現(xiàn)代網(wǎng)絡(luò)的脆弱性,以及政府支持的黑客在識(shí)別隱秘漏洞或制造漏洞以實(shí)施間諜活動(dòng)方面的高超手段。他們還會(huì)發(fā)動(dòng)復(fù)雜的網(wǎng)絡(luò)攻擊,先感染大量計(jì)算機(jī),隨后集中精力、縮小攻擊范圍。受影響的機(jī)構(gòu)可能需花費(fèi)數(shù)周或數(shù)月才能夠恢復(fù)。
如果攻擊者利用了微軟的漏洞,單純依靠該公司提供的更新并不可以將其從網(wǎng)絡(luò)中清除。卡馬卡建議,應(yīng)該對(duì)受影響的系統(tǒng)進(jìn)行全面檢查。白宮方面也對(duì)此再三強(qiáng)調(diào),并通過(guò)美國(guó)國(guó)家安全委員會(huì)(National Security Council)的賬號(hào)發(fā)推文,敦促越來(lái)越多的受害者仔細(xì)檢查自己的電腦,尋找攻擊者的蛛絲馬跡。
阿代爾說(shuō),黑客最初似乎針對(duì)的是具有高情報(bào)價(jià)值的美方目標(biāo),但大約一周前,一切都變了。其他身份不明的黑客組織開始在短時(shí)間內(nèi)攻擊數(shù)千受害者,并埋下隱秘軟件為日后入侵留下后門。
阿代爾認(rèn)為,有可能是其他黑客組織發(fā)現(xiàn)了同樣的漏洞,并自行發(fā)起攻擊,也有可能是黑客想漫天撒網(wǎng),而后找出有價(jià)值的情報(bào)。
總之,攻擊迅速,戰(zhàn)果輝煌,黑客似乎找到了將該過(guò)程自動(dòng)化的方法?!叭绻阍谑褂肊xchange服務(wù)器,很可能已經(jīng)成了受害者。”阿代爾說(shuō)。
不過(guò),從其他安全公司的數(shù)據(jù)來(lái)看,此次攻擊的最終影響可能不會(huì)太嚴(yán)重。Huntress的研究人員檢查了其合作伙伴網(wǎng)絡(luò)上的約3000臺(tái)易受攻擊的服務(wù)器,發(fā)現(xiàn)其中約350臺(tái)感染了病毒,比例略高于10%。
雖然攻擊SolarWinds的黑客侵入了各種規(guī)模不一的組織,但最新一批受害者大多是中小型企業(yè)和地方政府機(jī)構(gòu)。受影響最大的組織使用的電子郵件服務(wù)器多半運(yùn)行著易受攻擊的軟件,并且直接暴露在互聯(lián)網(wǎng)上,而大型機(jī)構(gòu)通常會(huì)避免這種風(fēng)險(xiǎn)較高的做法。
南加州網(wǎng)絡(luò)安全監(jiān)控機(jī)構(gòu)Milton Security Group Inc.的創(chuàng)始人吉姆·麥克默里表示,小企業(yè)“因?yàn)橐咔槎9ぃ讶幌萑肜Ь?,此次更是雪上加霜”?!拔彝ㄟ^(guò)與一些客戶的合作了解到,追蹤、清理病毒,并確保不受到再次攻擊,需要花費(fèi)大量時(shí)間?!?/p>
麥克默里認(rèn)為這個(gè)問(wèn)題“非常糟糕”,但同時(shí)補(bǔ)充說(shuō),“該漏洞能夠打補(bǔ)丁修復(fù)”,因此應(yīng)該可以在一定程度上降低損害。
微軟表示,使用云郵件系統(tǒng)的用戶不會(huì)受影響。
有專家指出,自動(dòng)發(fā)起復(fù)雜攻擊的技術(shù)或標(biāo)志著網(wǎng)絡(luò)安全已經(jīng)進(jìn)入一個(gè)更可怕的新時(shí)代,令有限的防御資源不堪重負(fù)。
網(wǎng)絡(luò)安全顧問(wèn)亞歷克斯·斯塔莫斯說(shuō),最初的一些感染似乎是通過(guò)自動(dòng)掃描和安裝惡意軟件實(shí)現(xiàn)的。黑客會(huì)借由這些感染體展開下一步行動(dòng),竊取存檔郵件等數(shù)據(jù),然后從中尋找有價(jià)值的信息。調(diào)查人員將全力追蹤病毒。
“如果我是那些黑客,我會(huì)不加區(qū)別地盡快下載郵件,然后再慢慢淘寶?!彼顾拐f(shuō)道。(財(cái)富中文網(wǎng))
譯者:胡萌琦
鑒于微軟公司(Microsoft Corp.)商業(yè)電子郵件軟件的應(yīng)用之廣泛,一場(chǎng)針對(duì)該應(yīng)用系統(tǒng)的精準(zhǔn)攻擊正在演變?yōu)槿蚓W(wǎng)絡(luò)安全危機(jī),黑客們競(jìng)相在各企業(yè)做出應(yīng)對(duì)前擴(kuò)大戰(zhàn)果。
微軟方面稱,這場(chǎng)攻擊始于一個(gè)黑客組織。據(jù)一名知情的前美國(guó)高級(jí)官員稱,迄今全球至少有6萬(wàn)已知受害者。在微軟力圖阻止攻擊的同時(shí),很多中小企業(yè)被困在了黑客撒下的漫天大網(wǎng)中。
歐洲銀行管理局(European Banking Authority)成了最新受害者。該機(jī)構(gòu)在3月7日表示,入侵者可能已經(jīng)通過(guò)保存在微軟服務(wù)器上的郵件獲取了個(gè)人數(shù)據(jù)??偛课挥隈R里蘭州埃利科特市的安全監(jiān)控公司Huntress在3月5日的一篇博客文章中透露,截至目前為止,已經(jīng)確認(rèn)受到波及的機(jī)構(gòu)包括銀行、電力供應(yīng)商、養(yǎng)老院和一家冰淇淋公司。
一家不愿意透露名稱的美國(guó)網(wǎng)絡(luò)安全公司稱,僅該公司的專家就已經(jīng)接觸了至少50名受害者,試圖盡快確定黑客已經(jīng)獲取的數(shù)據(jù),并將其剔除。
此次迅速升級(jí)的攻擊距上次SolarWinds公司被可能來(lái)自俄羅斯的網(wǎng)絡(luò)攻擊者入侵僅隔數(shù)月。新黑客快速展開大規(guī)模攻擊的能力引發(fā)了美國(guó)國(guó)家安全官員的擔(dān)憂。研究人員稱,在此次攻擊的最后階段,入侵者似乎已經(jīng)將攻擊過(guò)程自動(dòng)化,短短幾天內(nèi),全球就新增了數(shù)萬(wàn)受害者。
華盛頓方面的反應(yīng)
《紐約時(shí)報(bào)》(New York Times)援引一名不愿意透露姓名的官員的話說(shuō),華盛頓方面準(zhǔn)備在未來(lái)三周內(nèi)對(duì)外國(guó)入侵采取首次重大報(bào)復(fù)行動(dòng)。報(bào)道稱,美國(guó)計(jì)劃在實(shí)施經(jīng)濟(jì)制裁的同時(shí),對(duì)俄羅斯網(wǎng)絡(luò)展開一系列秘密行動(dòng),意在向弗拉基米爾·普金及其情報(bào)部門釋放信號(hào)。喬·拜登總統(tǒng)可能會(huì)發(fā)布一項(xiàng)行政命令,以支持聯(lián)邦機(jī)構(gòu)抵御俄羅斯的黑客攻擊。
一名白宮官員在3月6日的電子郵件中寫道:“我們正在采取一系列政府應(yīng)對(duì)措施,以評(píng)估和解決其影響。此次威脅仍未解除,我們敦促各網(wǎng)絡(luò)運(yùn)營(yíng)商認(rèn)真對(duì)待?!?/p>
Volexity的負(fù)責(zé)人史蒂文·阿代爾介紹,數(shù)月來(lái),這個(gè)黑客組織似乎一直在通過(guò)微軟的電子郵件軟件Exchange侵入私人和政府電腦網(wǎng)絡(luò),但最初只針對(duì)少數(shù)目標(biāo)。這家總部設(shè)在弗吉尼亞北部的網(wǎng)絡(luò)安全公司幫助微軟找出了黑客利用的漏洞。3月9日,微軟已經(jīng)針對(duì)這些漏洞發(fā)布了補(bǔ)丁。
這是近期的第二次網(wǎng)絡(luò)安全危機(jī)事件。就在數(shù)月前,疑似俄羅斯黑客通過(guò)篡改IT管理軟件制造商SolarWinds公司(SolarWinds LLC)的更新程序,侵入了9個(gè)聯(lián)邦機(jī)構(gòu)和至少100家公司。負(fù)責(zé)維護(hù)全球計(jì)算機(jī)系統(tǒng)的網(wǎng)絡(luò)安全專家疲于應(yīng)對(duì),愈發(fā)沮喪。
黑客組織
“正義的一方應(yīng)接不暇。”位于加州米爾皮塔斯的網(wǎng)絡(luò)安全公司FireEye的高級(jí)副總裁查爾斯·卡馬卡說(shuō)。
最近的這起事件與SolarWinds攻擊事件凸顯出現(xiàn)代網(wǎng)絡(luò)的脆弱性,以及政府支持的黑客在識(shí)別隱秘漏洞或制造漏洞以實(shí)施間諜活動(dòng)方面的高超手段。他們還會(huì)發(fā)動(dòng)復(fù)雜的網(wǎng)絡(luò)攻擊,先感染大量計(jì)算機(jī),隨后集中精力、縮小攻擊范圍。受影響的機(jī)構(gòu)可能需花費(fèi)數(shù)周或數(shù)月才能夠恢復(fù)。
如果攻擊者利用了微軟的漏洞,單純依靠該公司提供的更新并不可以將其從網(wǎng)絡(luò)中清除。卡馬卡建議,應(yīng)該對(duì)受影響的系統(tǒng)進(jìn)行全面檢查。白宮方面也對(duì)此再三強(qiáng)調(diào),并通過(guò)美國(guó)國(guó)家安全委員會(huì)(National Security Council)的賬號(hào)發(fā)推文,敦促越來(lái)越多的受害者仔細(xì)檢查自己的電腦,尋找攻擊者的蛛絲馬跡。
阿代爾說(shuō),黑客最初似乎針對(duì)的是具有高情報(bào)價(jià)值的美方目標(biāo),但大約一周前,一切都變了。其他身份不明的黑客組織開始在短時(shí)間內(nèi)攻擊數(shù)千受害者,并埋下隱秘軟件為日后入侵留下后門。
阿代爾認(rèn)為,有可能是其他黑客組織發(fā)現(xiàn)了同樣的漏洞,并自行發(fā)起攻擊,也有可能是黑客想漫天撒網(wǎng),而后找出有價(jià)值的情報(bào)。
總之,攻擊迅速,戰(zhàn)果輝煌,黑客似乎找到了將該過(guò)程自動(dòng)化的方法?!叭绻阍谑褂肊xchange服務(wù)器,很可能已經(jīng)成了受害者。”阿代爾說(shuō)。
不過(guò),從其他安全公司的數(shù)據(jù)來(lái)看,此次攻擊的最終影響可能不會(huì)太嚴(yán)重。Huntress的研究人員檢查了其合作伙伴網(wǎng)絡(luò)上的約3000臺(tái)易受攻擊的服務(wù)器,發(fā)現(xiàn)其中約350臺(tái)感染了病毒,比例略高于10%。
雖然攻擊SolarWinds的黑客侵入了各種規(guī)模不一的組織,但最新一批受害者大多是中小型企業(yè)和地方政府機(jī)構(gòu)。受影響最大的組織使用的電子郵件服務(wù)器多半運(yùn)行著易受攻擊的軟件,并且直接暴露在互聯(lián)網(wǎng)上,而大型機(jī)構(gòu)通常會(huì)避免這種風(fēng)險(xiǎn)較高的做法。
南加州網(wǎng)絡(luò)安全監(jiān)控機(jī)構(gòu)Milton Security Group Inc.的創(chuàng)始人吉姆·麥克默里表示,小企業(yè)“因?yàn)橐咔槎9ぃ讶幌萑肜Ь?,此次更是雪上加霜”?!拔彝ㄟ^(guò)與一些客戶的合作了解到,追蹤、清理病毒,并確保不受到再次攻擊,需要花費(fèi)大量時(shí)間?!?/p>
麥克默里認(rèn)為這個(gè)問(wèn)題“非常糟糕”,但同時(shí)補(bǔ)充說(shuō),“該漏洞能夠打補(bǔ)丁修復(fù)”,因此應(yīng)該可以在一定程度上降低損害。
微軟表示,使用云郵件系統(tǒng)的用戶不會(huì)受影響。
有專家指出,自動(dòng)發(fā)起復(fù)雜攻擊的技術(shù)或標(biāo)志著網(wǎng)絡(luò)安全已經(jīng)進(jìn)入一個(gè)更可怕的新時(shí)代,令有限的防御資源不堪重負(fù)。
網(wǎng)絡(luò)安全顧問(wèn)亞歷克斯·斯塔莫斯說(shuō),最初的一些感染似乎是通過(guò)自動(dòng)掃描和安裝惡意軟件實(shí)現(xiàn)的。黑客會(huì)借由這些感染體展開下一步行動(dòng),竊取存檔郵件等數(shù)據(jù),然后從中尋找有價(jià)值的信息。調(diào)查人員將全力追蹤病毒。
“如果我是那些黑客,我會(huì)不加區(qū)別地盡快下載郵件,然后再慢慢淘寶?!彼顾拐f(shuō)道。(財(cái)富中文網(wǎng))
譯者:胡萌琦
A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.
The attack, which Microsoft has said started with a hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
The European Banking Authority became one of the latest victims as it said on March 7 that access to personal data through emails held on the Microsoft server may have been compromised. Others identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a Ellicott City, Maryland-based firm that monitors the security of customers, in a blog post on March 5.
One U.S. cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.
The rapidly escalating attack came months after the SolarWinds Corp. breaches by suspected Russian cyberattackers, and drew the concern of U.S. national security officials in part because the latest hackers were able to hit so many victims so quickly. Researchers say in the final phases of the attack, the perpetrators appeared to have automated the process, scooping up tens of thousands of new victims around the world in a matter of days.
Washington responds
Washington is preparing its first major moves in retaliation against foreign intrusions over the next three weeks, the New York Times reported, citing unidentified officials. It plans a series of clandestine actions across Russian networks -- intended to send a message to Vladimir Putin and his intelligence services -- combined with economic sanctions. President Joe Biden could issue an executive order to shore up federal agencies against Russian hacking, the newspaper reported.
“We are undertaking a whole of government response to assess and address the impact,” a White House official wrote in an email on March 6. “This is an active threat still developing and we urge network operators to take it very seriously.”
The hacking group, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially targeting only a small number of victims, according to Steven Adair, head of the northern Virginia-based Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix on March 9.
The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC. Cybersecurity experts that defend the world’s computer systems expressed a growing sense of frustration and exhaustion.
Hafnium
The good guys are getting tired,” said Charles Carmakal, a senior vice president at FireEye Inc., the Milpitas, California-based cybersecurity company.
Both the most recent incident and the SolarWinds attack show the fragility of modern networks and sophistication of state-sponsored hackers to identify hard-to-find vulnerabilities or even create them to conduct espionage. They also involve complex cyberattacks, with an initial blast radius of large numbers of computers which is then narrowed as the attackers focus their efforts, which can take affected organizations weeks or months to resolve.
In the case of the Microsoft bugs, simply applying the company-provided updates won’t remove the attackers from a network. A review of affected systems is required, Carmakal said. And the White House emphasized the same thing, including tweets from the National Security Council urging the growing list of victims to carefully comb through their computers for signs of the attackers.
Initially, the hackers appeared to be targeting high value intelligence targets in the U.S., Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.
Adair said that other hacking groups may have found the same flaws and began their own attacks -- or that hackers may have wanted to capture as many victims as possible, then sort out which had intelligence value.
Either way, the attacks were so successful -- and so rapid -- that the hackers appear to have found a way to automate the process. “If you are running an Exchange server, you most likely are a victim,” he said.
Data from other security companies suggest that the scope of the attacks may not end up being quite that bad. Researchers from Huntress examined about 3,000 vulnerable servers on its partners’ networks and found about 350 infections -- or just over 10%.
While the SolarWinds hackers infected organizations of all sizes, many of the latest batch of victims are small-to medium-sized business and local government agencies. Organizations that could be most impacted are those that have an email server that’s running the vulnerable software and exposed directly to the internet, a risky setup that larger ones usually avoid.
Smaller organizations are “struggling already due to Covid shutdowns -- this exacerbates an already bad situation,” said Jim McMurry, founder of Milton Security Group Inc., a cybersecurity monitoring service in Southern California. “I know from working with a few customers that this is consuming a great deal of time to track down, clean and ensure they were not affected outside of the initial attack vector.”
McMurry said the issue is “very bad” but added that the damage should be mitigated somewhat by the fact that “this was patchable, it was fixable.”
Microsoft said customers that use its cloud-based email system are not affected.
The use of automation to launch very sophisticated attacks may mark a new, frightening era in cybersecurity, one that could overwhelm the limited resources of defenders, several experts said.
Some of the initial infections appear to have been the result of automated scanning and installation of malware, said Alex Stamos, a cybersecurity consultant. Investigators will be looking for infections that led to hackers taking the next step and stealing data -- such as e-mail archives -– and searching them for any valuable information later, he said.
“If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” Stamos said.