More than 20,000 US organizations have been compromised through a backdoor installed through recently patched flaws in Microsoft Corp’s email software, a person familiar with the US government’s response said on Friday.
Piracy has already reached more places than all the tainted code downloaded from SolarWinds Corp, the company at the center of another wave of massive piracy discovered in December.
The latest hack has left channels for remote access to spread between credit unions, city governments and small businesses, according to US investigation records.
Tens of thousands of organizations in Asia and Europe are also affected, the records show.
The attacks continue despite emergency patches issued by Microsoft on Tuesday.
Microsoft, which had initially said the attacks consisted of “limited and targeted attacks,” declined to comment on the scale of the problem on Friday, but said it was working with government agencies and security companies to provide assistance to customers.
He added that “affected customers should contact our support teams for additional help and resources.”
A scan of connected devices showed that only 10% of the vulnerable had installed the patches by Friday, although the number was increasing.
Because installing the patch does not remove the back doors, US officials are rushing to figure out how to notify all victims and guide them in their search.
All those affected appear to be running web versions of the Outlook email client and hosting them on their own machines, rather than relying on cloud providers. That may have saved many of the largest companies and federal government agencies, the records suggest.
The Federal Agency for Infrastructure Security and Cybersecurity did not respond to a request for comment.
Earlier on Friday, White House press secretary Jen Psaki told reporters that the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant” and “could have far-reaching impacts.”
“We are concerned that there are a large number of victims,” Psaki said.
Microsoft and the person working with the US response blamed the initial wave of attacks on a Chinese government-backed actor. A Chinese government spokesman said the country was not behind the intrusions.
What began as a controlled attack late last year on some classic spy targets turned into a widespread campaign last month. Security officials said that implied that, unless China had changed tack, a second group could have gotten involved.
More attacks from other hackers are expected as the code used to take control of mail servers spreads.
Hackers have only used back doors to re-enter and navigate infected networks in a small percentage of cases, probably less than 1 in 10, said the person who works with the government.
“A couple hundred people are exploiting them as fast as they can,” stealing data and installing other ways to come back later, he said.
The initial route of the attack was discovered by prominent Taiwanese cyber researcher Cheng-Da Tsai, who said he reported the flaw to Microsoft in January. He said in a blog post that he was investigating whether the information was leaked.
It did not respond to requests for additional comment.