Chinese? No, can’t be. Such a fine (un) democratic despotic nation like China? Who would of thought. 

But the timeline is interesting. On Tuesday 2 March 2021, Microsoft release patches to Exchange, then, as reported by Brian Krebs,

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

And as reported in Bloomberg this morning

The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.

The European Banking Authority became one of the latest victims as it said Sunday that access to personal data through emails held on the Microsoft server may have been compromised. Others identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a Ellicott City, Maryland-based firm that monitors the security of customers, in a blog post Friday.

“The good guys are getting tired,” said Charles Carmakal, a senior vice president at FireEye Inc., the Milpitas, California-based cybersecurity company.

Indeed – but not just because our severs are attacked all the time, but because Cybersecurity is not taken seriously by a majority of the businesses and gov entitles in the western world. And taking seriously means buying the kit and the staff to monitor it. I have said numerous times, until their are real existential penalties for cybersecurity negligence, nothing much will happen. We see Europe moving in the correct direction, but here in the U.S., forget it. Too many companies are making money selling private info harvested by many means, including hacking. As for the good security kit, most believe they can buy the cheapest kit on Amazon, plug it in and forget it. Yeah right. You think Amazon cares? Most of the junk they sell ships from China, is manufactured there, or is sold below cost to drive real Cybersecurity companies under who are trying to defend against attacks like these.

But let the party roll on. Buy your Cybersecrutiy on the likes of Amazon. At least blogs like ours will have more breaches to report.

But back to the Exchange breach

In the case of the Microsoft bugs, simply applying the company-provided updates won’t remove the attackers from a network. A review of affected systems is required, Carmakal said. And the White House emphasized the same thing, including tweets from the National Security Council urging the growing list of victims to carefully comb through their computers for signs of the attackers.

Initially, the Chinese hackers appeared to be targeting high value intelligence targets in the U.S., Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.

“They went to town and started doing mass exploitation — indiscriminate attacks compromising exchange servers, literally around the world, with no regard to purpose or size or industry,” Adair said. “They were hitting any and every server that they could.”

Adair said that other hacking groups may have found the same flaws and began their own attacks — or that China may have wanted to capture as many victims as possible, then sort out which had intelligence value.

Either way, the attacks were so successful — and so rapid — that the hackers appear to have found a way to automate the process. “If you are running an Exchange server, you most likely are a victim,” he said.

Bloomberg Article cited is here