In the latest in a series of security-related headaches for Microsoft, the company warned customers Tuesday that China’s state-sponsored hackers have been exploiting flaws in one of their widely used email products Exchange, in order to target US companies for data theft.
In several recent blog posts, the company listed four zero day vulnerabilities associated with attacks, as well as patches and a list of indicators of compromise. Exchange users have been urged to upgrade to avoid being hacked.
Microsoft researchers have dubbed the main hacking group behind the attacks “HAFNIUM,” describing it as a “highly skilled and sophisticated actor” who focuses on conducting espionage through data theft. In past campaigns, HAFNIUM has targeted a wide variety of entities across the United States, including “infectious disease researchers, law firms, institutions of higher education, defense contractors, policy think tanks, and NGOs,” they said.
In the case of Exchange, these attacks have led to the exfiltration of data from email accounts. Exchange It works with Mail clients like Microsoft Office, sync updates to devices and computers, and is widely used by businesses, universities, and other large organizations.
The attacks on the product have developed like this: Hackers will take advantage of zero days to gain access to an Exchange server (sometimes they also used compromised credentials). Then they will normally implement a web shell (a malicious script), hijacking the server remotely. Hackers can then steal data from a partner network, including entire stretches of emails. The attacks were carried out from private servers based in the United States, according to Microsoft.
Microsoft’s corporate vice president of customer security Tom Burt said Tuesday that customers must work quickly to update associated security flaws:
Although we have worked quickly to implement an update for Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched system. Immediate application of current patches is the best protection against this attack.
Initially, researchers from two different security companies, Volexity and Dubex, brought the situation to Microsoft’s attention. According to KrebsOnSecurity, Volexity initially found evidence of the intrusion campaigns on January 6. a blog post On Tuesday, Volexity researchers helped break down what malicious activity looked like in a particular case:
Through its analysis of system memory, Volexity determined that the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the entire contents of multiple user mailboxes. This vulnerability can be exploited remotely and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server that is running Exchange and from which account he wants to extract the email.
These recent hacking campaigns, which Microsoft has said are “limited and targeted” in nature, are not associated with the ongoing “SolarWinds” attacks that the tech giant is also currently involved in. The company has not said how many organizations were successfully targeted or compromised by the campaign, although threat actors other than HAFNIUM may also be involved. Microsoft says it has informed federal authorities about the incidents.