Microsoft has revealed a new state threat actor, named Hafnium, that’s been exploiting previously unknown zero-day vulnerabilities in the on-premises Exchange Server software.
A zero-day vulnerability is always a serious matter and usually a good-enough reason for companies to quickly address it with a patch. Microsoft found not one, but four such vulnerabilities in their Microsoft Exchange Server 2013, 2016 and 2019 solutions. The company released a so-called out-of-band update, meaning it was outside of the regular schedule.
Finding out about multiple zero-day vulnerabilities in a single product, with exploits in the wold, is an uncommon occurrence. When something like this happens, it’s usually the product of a major threat actor, often at the behest of nation-states.
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks,” said Microsoft. “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”
“The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server,” explained Microsoft.
The company attributed the campaign to a group they named HAFNIUM, which was assessed to be state-sponsored and operating out of China. The APT’s primary targets are in the United States but it has no preference for a particular industry, targeting infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
Their methods are not unlike what’s been observed before as the group uses stolen credentials or undiscovered vulnerabilities to pose as legitimate users. Once the hackers are in, they create a web shell to control the compromised server remotely. After they secure access to the network’s infrastructure, they begin stealing data.
While the company did issue patches to close the vulnerabilities, not all customers will be quick to install them. Microsoft warned users that, now with the vulnerabilities exposed, the group will likely intensify its attacks and hit companies before they have a chance to patch up their infrastructure.