“Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack,” said a source working closely with federal officials to Kreb on Security. Victims that we know of include “police departments, hospitals, tons of city and state governments and credit unions.”
While Microsoft has now rolled out patches to update and fix those zero-day flaws, experts fear that Hafnium has already planted “web shells” on many of the servers, giving them a backdoor into various organizations’ systems to access their data. Some also fear that removing those existing backdoors may open the gateway to more being planted by the Chinese hacking group.
When asked for comment, Microsoft revealed that it has since been working with the U.S. Cybersecurity & Infrastructure Security Agency as well as other government branches and security companies in order find a remedy and mitigate the effects suffered. “The best protection is to apply updates as soon as possible across all impacted systems,” a company statement writes. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”