Microsoft Patches 4 Zero-Day Exchange Server Flaws Exploited By Chinese Hackers, Update ASAP
Microsoft says a state-sponsored group of hackers operating out of China have been exploiting several zero-day vulnerabilities in Exchange Server, ultimately granting the entity unauthorized access to email accounts and address books. These intrusions also allowed the group to install "additional malware to facilitate long-term access" to compromised accounts. It appears this is a completely separate group than the one behind the SolarWinds attacks.
"We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem," Microsoft stated in a blog post.
There are four zero-day vulnerabilities in total, which have been assigned CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The first of those is a server-side request forgery (SSRF) flaw, which enabled the attackers to send arbitrary HTTP requests and ultimately authenticate as the Exchange server.
As for the others, they collectively enabled the hacking group to run code as SYSTEM on Exchange servers, write files to any path on a compromised server, and deploy web shells to steal data from victims and "perform additional malicious actions that lead to further compromise."
According to Microsoft, HAFNIUM mostly targets organizations and individuals in the United States. Targets come from a variety of industry sectors, including infectious disease researchers, law firms, educational facilities, defense contractors, and so forth.
"In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments," Microsoft says.
As for the zero-day exploits in question, they affect Microsoft Exchange Server 2019, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2013.
On the bright side, Microsoft claims the exploits have only been used in "limited targeted attacks." Nevertheless, because of the critical nature of the zero-day flaws, Microsoft is pushing out several security updates and recommends those who are potentially affected to update right away.