Microsoft says Chinese hackers from the Hafnium group waged “limited and targeted attacks,” in which its Exchange Email servers were breached to steal data using 0-day flaws.
In its recent blog post, Microsoft has identified that a group of sophisticated Chinese hackers targeted its popular email service called Microsoft Exchange. According to the tech giant, the attackers exploited four vulnerabilities in its popular email service that allowed them to access its servers and email accounts.
The now-patched vulnerabilities also let attackers install additional malware to “facilitate long-term access to victim environments,” the company noted while adding that the cloud-based version of the service was not affected.
The hackers waged “limited and targeted attacks,” working through virtual private servers. The company’s software was accessed via stolen passwords after which the group installed malware to obtain data.
Who are the Targets?
In the blog post, Microsoft Corporate Vice President of Customer Security & Trust Tom Burt didn’t specify the targets but mentioned that businesses using on-premises Exchange Server software are under threat.
Burt says there’s no evidence that individual consumers were targeted or the exploits have affected other Microsoft products.
Moreover, Burt confirmed that the recent attacks on its Exchange servers have no connection to the SolarWinds hacks that breached around 9 US government agencies and nearly 100 private firms.
Microsoft Blames Hafnium for Attacks
Microsoft believes that a Chinese state-sponsored hacking group called Hafnium, which operates out of China, is responsible for the Exchange email service attacks.
The company didn’t provide evidence supporting the involvement of Hafnium but did state that its Threat Intelligence Center has concluded after observing the “tactics and procedures” of the group.
Hafnium is known for stealing data from US-based infectious disease researchers, defense contractors, higher-education institutions, law firms, non-government organizations, and policy think tanks.
“This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers,” Microsoft’s blog stated.
Microsoft issues patches for four 0-day vulnerabilities
Microsoft is asking users to download fixes/patches for four vulnerabilities found in MS Exchange.
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately,” the post read.
The vulnerabilities were found in MS Exchange Server 2013, 2016, and 2019 and include the following:
1. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that attackers can exploit to send arbitrary HTTP requests.
2. CVE-2021-26857– It is an insecure deserialization vulnerability in which a program could deserialize untrusted user-controllable data. Attackers can exploit it to run code as SYSTEM on the Exchange server after acquiring administrator permission.
3. CVE-2021-26858– This post-authentication arbitrary file writes vulnerability could allow an attacker to write a file to any path on the server if authenticated with the Exchange server.
4. CVE-2021-27065– It is another post-authentication arbitrary file write vulnerability that Hafnium could authenticate with the Exchange server by either compromising legit admin credentials or exploiting the CVE-2021-26855 SSRF vulnerability and write a file to any path on the server.