Chinese state-sponsored hackers have attacked on-premises versions of Microsoft Exchange Server using zero-day exploits in an effort to obtain long-term access to victim environments.
Microsoft disclosed that it has detected limited and targeted attacks by Hafnium, a group believed to be state-sponsored operating out of China, which targets industries including infectious disease researchers, institutions of higher education, law firms, think tanks, and non-government organizations.
Groups other than Hafnium may launch attacks using this vulnerability as it becomes more widely known.
The four vulnerabilities – known as vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – can allow threat actors to take control of an impacted system and access the victim’s information. Specifically, these vulnerabilities allow threat actors to:
- Send arbitrary HTTP requests;
- Authenticate as the Exchange server;
- Run code on the Exchange server through use of administrator permissions; and
- Write a file to any path on the server by compromising legitimate administrator’s credentials.
On March 2, 2021, Microsoft released a new patch to address four zero-day exploits being used to attack on-premises Microsoft Exchange Servers. The United States Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) has urged vulnerable businesses to read Microsoft’s update and apply patches to their systems as necessary. Microsoft stressed that the exploits detailed today were in no way connected to the separate SolarWinds-related attacks. “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.