By Raphael Satter and Christopher Bing
WASHINGTON (Reuters) – An unknown hacking group recently broke into organizations using a newly discovered flaw in Microsoft mail server software, a researcher said on Tuesday, in an example of how commonly used programs can be exploited to cast a wide net online.
Microsoft’s near-ubiquitous suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks.
Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code – including elements of Exchange, the company’s email and calendaring product.
Mike McLellan, director of intelligence for Dell Technologies Inc’s Secureworks, said he noticed the recent issue after a sudden spike in activity touching Exchange servers overnight on Sunday, with around 10 customers affected at his firm.
“It appears to be someone scanning and exploiting Microsoft Exchange servers in some way. We don’t know how,” he told Reuters.
Microsoft said in a statement that it would be “releasing an update and additional guidance to customers as soon as possible.” The statement said there was no relationship between the recent activity and the SolarWinds-tied hacking campaign.
McLellan said that for now, the hackers appeared focused on seeding malicious software and setting the stage for a potentially deeper intrusion rather than aggressively moving into networks right away.
“We haven’t seen any follow-on activity yet,” he said. “We’re going to find a lot of companies affected but a smaller number of companies actually exploited.”
McLellan said he had no solid indication of who might be responsible. The hackers in this case were using a strain of malware called “China Chopper,” which – despite the name – is used by a variety of digital spies.
The profile of the targets did not match any particular online threat, McLellan said. “It looks like a bit of a random mix.”
(Reporting by Raphael Satter and Christopher Bing; Editing by Dan Grebler)