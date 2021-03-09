S.Since last week, news has been going around the world that a Chinese hacker group called “Hafnium” is attacking Microsoft’s popular “Exchange Server” email architecture. American and German authorities are alarmed and are sending out warning messages. But how dangerous is the attack really – and how can you protect yourself? We clarify the most important questions on the topic.

What happened?

Four vulnerabilities have been identified in Microsoft’s Exchange Server email architecture, which is used by almost every company and organization in the world. These enable hackers to log on to organizations’ e-mail servers as administrators (that is, with full rights), to access the data on the servers and even to install any programs on them. Once inside, you can install a program (a so-called “webshell”) that enables you to control the server remotely.

The vulnerabilities became public when Microsoft admitted them last Tuesday and published security updates that block access. However, according to security researchers, hackers have been exploiting the weak points since January – and the patches no longer help if hackers have already penetrated the e-mail server. It’s like when a wasp has flown into a jar and you put a lid on it: no more wasps come in – but the one that is already in stays in there.

Who is affected by the attack?

Almost every company and organization. Exchange Server is by far the most widely used architecture for sending emails in a professional context. All those Exchange servers that run on the own servers of companies, authorities or other institutions and are accessible from the Internet are at risk – for example via “Outlook Web Access”. Only if the Exchange server is set in such a way that it can only be reached via a secure VPN connection – that is, only from service laptops, for example – is it not at risk according to the current state of knowledge.

The server search engine Shodan has calculated that nearly 270,000 servers in the world are at risk. Of these, just under 58,000 are in Germany. After the United States, Germany is the country with the most endangered servers in the world. Germany’s technical cyber defense authority, the Federal Office for Information Security (BSI), has therefore issued a warning with the highest level of urgency “red”, which has only occurred for the second time since the color coding was introduced.

Prominent victims that are known so far include the European Banking Authority, which took its e-mail system offline due to the attack on Sunday and Monday. In addition, the BSI said on Tuesday that six unnamed federal authorities were also affected by the attack. Four of them were compromised, it said. That probably means that hackers were able to infiltrate four agencies. The BSI did not provide any further details. In any case, it is to be expected that these sacrifices will only be the tip of the iceberg. More are likely to follow.