Is China Hacking Random Servers To Put Itself Into A Bad Light?

 

When I was an IT manager I never liked Mircosoft's Exchange email servers. Like many other Microsoft products it is overloaded with useless niche features and legacies from previous versions. I am thereby not astonished that it was seemingly quite easy to hack.

A currently ongoing hacking campaign that by now has effected hundred thousands of system was first found by Volexity, a cyber security company in Reston, Va.:

In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers’ Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results.
...
Through its analysis of system memory, Volexity determined the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.

The hackers used four different zero-day security holes in Exchange Server products. A zero-day security hole is one that was previously unknown and has never been used before. To find new zero-day security holes is difficult and expensive. But after they are found and made operational they are often easy to use. Whoever did this hack has invested quite some effort. 

Besides extracting emails the hackers also installed backdoors that give them remote access to the hacked Exchange systems.

On March 2 Microsoft released patches for the four security holes. In its release it accused China of being behind the hack:

Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium. Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.

Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.

Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.

In a related blogpost Microsoft claims that the 'Chinese' hackers have state support:

Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Since Microsoft released the security patches the hackers have gone into overdrive. They scan the internet and infiltrate all Exchange Servers that have no yet been patched. It is now believed that more than 30,000 U.S. systems and hundred thousands internationally have been infiltrated with backdoors installed on seemingly all of them.

Such a widespread hacking campaign will certainly get major media attention. (Though the NYT and Washington Post have so far not reported on the campaign. They probably think that the Sunday edition front pages are the better placement for a new anti-China bash.)

Attribution of hacking campaigns is often extremely difficult. We know from the Wikileaks Vault 7 release that U.S. government hackers at the CIA’s Center for Cyber Intelligence have developed tools that let their hacks look like they came from different foreign actors:

The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.

We can be quite sure that other governments have developed similar capabilities.

The CIA is also hoarding zero-day security holes and exploits for use in later campaigns:

The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized "zero days" ...

The attribution Microsoft makes is in light of the above quite weak. The direct attacks came from rented virtual private servers within the U.S. These were, says Microsoft, operated through machines in China. But how does Microsoft know who has actually control over those machines in China? Could they not be hacked too? Couldn't the real actors sit anywhere on this planet and access them through the Internet?

Microsoft also says that its attribution is "based on observed victimology, tactics and procedures". The victims are described as "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs".

For a state sponsored campaign, especially one that burns four expensive zero-days, that victimology is unusually wide. It practically guaranteed that the attack would be detected fairly soon.

"Tactics and procedures" are something that is even harder to attribute than the code used in the attack. Microsoft details some of these:

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.

This hack used legitimate open source tools that are widely available and are also used by many cybercrime organizations and secret services. What then are the specific 'tactics and procedures' which attribute this to China?

Microsoft won't say.

There is also the fact that the hackers have gone into overdrive as soon as Microsoft released the patches. They are now infecting any system they can find. That surely will result in an extreme amount of international publicity.

Why would a state sponsored hacking campaign, especially from China, actually want that? Why would China want to attract more negative news about its country?

Could there be some other country that has an interest in pushing public accusations against China by linking it to massive global hacking campaign?

Throughout the last years we have seen a massive anti-China press campaign run by the usual culprits. Recent polls show that it has achieved its purpose:

A new Gallup poll finds Americans' favorable rating of China has declined further in the past year, sinking to a record-tying low. For the first time in more than a decade, Americans regard the U.S. rather than China as the world's leading economic power. And with fewer Americans than in 2019 naming Russia as the United States' greatest enemy, Russia and China now tie for first on that list.

To which Peter Lee comments with his usual snark:

chinahand @chinahand - 19:05 UTC · Mar 5, 2021

actually the most interesting stat was that in apparently direct proportion to China hate the number of people who said US is and will be world economic numero uno now and in 20 years rose. which means fear of china breeds both denialism and defiance.

final thought: this polling is kinda Mission Accomplished! for the press and its pentagon and spook services driven anti-PRC reporting. Next job is Sell the War!

Then the after action handwringing about how the real enemy wasn't PRC, it was climate change & income inequality and Indopacom's moronic defense contractor driven power grab in the Western Pacific but the PRC started it coz they were so darn mean!

"That sh*t in the sh*t sandwich we sold you? Some of it was Chinese!"

In my view Microsoft has so far shown nothing that plausibly attributes the hacks to China.

What we can see though is that this hacking campaign will put the country into a very bad light. That might indeed have be the real purpose behind all of this.

Posted by b on March 6, 2021 at 18:57 UTC | Permalink

https://www.moonofalabama.org/2021/03/is-china-hacking-random-servers-to-put-itself-into-a-bad-light.html