Posted on March 3, 2021 at 12:06 PM
Chinese Hackers Exploit Vulnerabilities in Exchange Servers
Microsoft has warned users about exploitation on exchange server flaws from Chinese hackers. The tech giant discovered that the hackers were chaining multiple zero-day exploits to steal email data from corporate Microsoft Exchange servers. However, Exchange Online and all other Microsoft products were not affected by the attack.
Microsoft has also released emergency patches for four of the flaws that constituted part of the hackers attacking weaponry. “We strongly urge customers to update on-premises systems immediately,” the company advised.
HAFNIUM group blamed for the attack
Microsoft said the perpetrator is HAFNIUM, a Chinese APT operator with operations from leased VPS in the U.S.
Generally, HAFNIUM attacks companies in the U.S. in different industry sectors such as policy think tanks, defense contractors, higher educational institutions, law firms, infectious disease researchers, as well as NGOs.
Microsoft stated that from the findings of its analysts, there is high certainty that HAFNIUM is a cybercriminal group sponsored by the Chinese government, based on the group’s procedures, tactics, and victimology.
The vulnerability exposed the customers of the tech giant to remote code execution attacks that don’t require authentication.
Microsoft added that the threat actor took advantage of flaws to gain access to the on-premises Exchange servers, giving them unauthorized access to email accounts.
Hackers targeted four vulnerabilities
It also enabled the hackers to install additional malware for long-term access to victim environments.
The four vulnerabilities being exploited in the wild include CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, and CVE-2021-26855.
The CVE-2021-26855 vulnerability enables the attacker to send ransom HTTP requests and authenticate as the Exchange’s server. The CVE-2021-26855 vulnerability is particularly serious because it can be exploited remotely with no authentication required. The hackers only have to find out which server is running the Exchange and account they want the email extraction done.
Microsoft also said the attackers followed three steps to exploit the flaws. In the first step, the group was able to access an Exchange Server by making use of previously discovered vulnerabilities or by using stolen passwords. In the second step, the attacker-controlled the compromised server remotely after creating a web shell for that purpose.
For the third step, the threat actors used remote access from the private servers in the U.S. to steal data from organizations’ networks.
Microsoft urges customers to administer a patch
Microsoft has also revealed it discovered HAFNIUM interacting with victim Officer 365 tenants. Although they were not successful in the attacks, their incessant activities on the network give them more chance to compromise customer accounts, Microsoft stated.
The hackers also succeeded in downloading the Exchange offline address book from the breached servers. The compromised details contain details about the victim organization as well as information about its users, according to Microsoft.
Microsoft also said the report on the hacking incident was credited to cybersecurity firm Volexity. The security firm has also published a blog post that uses video to demonstrate the technical details of the attack. It also revealed the IP addresses the hackers used in the attack.
Volexity also revealed it discovered irregular activities from two of its customers’ Exchange servers earlier in January, which gave insights towards the discovery of the attacks.
According to Volexity, the attacks started as early as January 6.
And with a second vulnerability, the hacker can have full access to remote code execution, which enables them to install malware on the server.
Microsoft also said it has worked tirelessly to provide a patch and update to the flaw. However, it’s important not to throw caution to the winds by ensuring customers’ systems are fully updated. The tech giant said customers should apply the fix as soon as possible to stay fully protected.
To further stress safety and security, the company wants to release a patch for the Microsoft Exchange server 2010 to help reduce the threat levels. Microsoft has also updated its free antivirus to detect HAFNIUM’s malware tools.