In the latest in a series of security-related headaches for Microsoft, the company warned customers who took advantage of state-sponsored hackers from China on Tuesday to exploit flaws in one of its widely used email products, Exchange, to attack US companies for data theft.
In several recently published blog posts, the company listed four newly discovered zero-day vulnerabilities associated with the seizures, as well band aids and a list of compromise indicators. Exchange users have been urged to update to avoid being hacked.
Microsoft researchers have dubbed the main hacker group behind the attacks ‘HAFNIUM’, describing it as a ‘highly skilled and sophisticated actor’ targeting data theft espionage. In previous campaigns, HAFNIUM was known to target a wide variety of entities in the US, including “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” they said.
In the case of Exchange, these attacks have resulted in data interception from email accounts. Exchange works with email clients such as Microsoft Office, which synchronize updates to devices and computers, and is widely used by companies, universities and other large organizations.
G / O Media can receive a commission
Attacks on the product have occurred as follows: hackers use zero days to access an Exchange server (they also sometimes used compromised credentials). They will then usually deploy a web shell (a malicious script) and hijack the remote server. Hackers can then steal data from a linked network, including whole batches of emails. The attacks were carried out from private servers based in the US, according to Microsoft.
Tom Burt, Microsoft Corporate Vice President of Customer Security, said on Tuesday that customers need to act quickly to update the associated security flaws:
While we have worked quickly to implement an update to the Hafnium exploits, we know that many national actors and criminal groups will act quickly to take advantage of unpatched systems. Applying the current patches immediately is the best protection against this attack.
The situation was originally brought to Microsoft’s attention by researchers from two different security companies, Volexity and Dubex. According to KrebsOnSecurityVolexity initially found evidence of the January 6 burglary campaigns. In a blog post On Tuesday, Volexity researchers helped break down what the malicious activity looked like in a particular case:
Through its system memory analysis, Volexity determined that the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855The attacker used the vulnerability to steal the entire contents of various user mailboxes. This vulnerability can be exploited remotely and does not require any form of authentication, special knowledge or access to a target environment. The attacker only needs to know which server Exchange is running and from which account he wants to extract email.
These recent hacking campaigns – which Microsoft has said are ‘limited and targeted’ in nature – are separate from the ongoing ‘SolarWinds’ attacks that the tech giant is also currently embroiled inThe company has not said how many organizations were targeted or successfully compromised by the campaign, although other threat actors may be involved in addition to HAFNIUM. Microsoft says it has notified federal authorities of the incidents.