(Bloomberg) -- Newly discovered flaws in Microsoft Corp.’s software for email have raised concerns at the highest levels of the U.S. government, which is urging users to immediately apply patches.
At least 30,000 organizations across the U.S., including significant numbers of small businesses and local governments, have been hacked via holes in Microsoft’s email software in the last few days by suspected Chinese attackers who are focused on stealing email from victims, the blog KrebsonSecurity reported Friday.
“This is a significant vulnerability that could have far-reaching impacts,” said Jen Psaki, the White House press secretary, speaking at a briefing. “We are concerned there are a large number of victims.” She characterized the incident as an “active threat.”
Her remark comes after Microsoft disclosed on Tuesday that nation-state hackers based in China were exploiting previously unknown flaws in on-premise versions of the software and released patches for them. The following day, the Cybersecurity and Infrastructure Security Agency, which is known as CISA and is part of the Department of Homeland Security, issued an emergency directive in response to “observed active exploitation of these products.” As a result, civilian agencies and departments were directed to apply the patches, or disconnect Microsoft Exchange from their networks, and to look for compromises.
Government concern over the flaws continued to build over the course of the week. On Thursday, CISA released an alert stating that it was aware of hackers using tools to search for servers that hadn’t yet been patched. That evening, National Security Advisor Jake Sullivan wrote on Twitter that the U.S. is “closely tracking Microsoft’s emergency patch.” He cited “reports of potential compromises of U.S. think tanks and defense industrial base entities.”
The specific targets and timing of the hacking remains unknown. Defense Department spokesman John Kirby said the Pentagon is assessing its systems based on Microsoft’s advisory. The cybersecurity firm FireEye Inc. found that victims included “U.S.-based retailers, local governments, a university, and an engineering firm.” The version of exchange targeted by hackers is typically run by small businesses, putting them at special risk, according to Allan Liska, an analyst at the firm Recorded Future Inc..
A Microsoft representative said the vulnerabilities were disclosed to the company in early January. Microsoft isn’t aware of attacks before then, the representative said.
The cybersecurity firm Volexity reported finding attacks leveraging the flaws that date back to as early as Jan. 6. However, CISA urged operators to look for compromises dating back to September, “out of an abundance of caution,” according to a spokesperson.
A spokesman for the Chinese Foreign Ministry said in a press briefing on March 3 that conclusions on hacks into Microsoft servers should be based on complete evidence and avoid wanton accusations.