Microsoft recently addressed four zero-day vulnerabilities in its Exchange email server. The flaws’ impact is quite alarming, as the Exchange platform is one of the most popular in enterprise infrastructure.
Moreover, Microsoft believes the flaws were actively exploited by a China-based threat group known as Hafnium. The hacking group has been seeking persistent access to email systems, Microsoft says. Despite the attacks were described as limited and targeted, other threat groups are also taking advantage of the zero-days. Indications of attacks date back to the beginning of 2021.
Hafnium hackers targeting various institutions
It’s worth mentioning that this is the first time Microsoft mentions Hafnium hackers publicly. These hackers have been targeting various institutions and experts, including law firms, education facilities, NGOs, disease researchers.
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States, says Tom Burt, corporate vice president for Customer Security & Trust at Microsoft.
Microsoft has worked quickly to patch the Hafnium exploits. However, other nation-state treat actors and hackers are expected to take advantage of unpatched systems. Applying the patches as soon as possible will minimize the risk of any compromise related to the Exchange zero-days.
More about the four Exchange mail server zero-days
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
The vulnerabilities affecting Microsoft Exchange Server are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Fortunately, Exchange Online is not affected. Affected versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.
The flaws are used as part of an attack chain, Microsoft warns. To be successfully initiated, an attack requires an untrusted connection to a specific Exchange server port, 443. This loophole can be protected by restricting untrusted connection, or by setting up a VPN to separate the server from external access. However, these mitigations tricks only offer partial protection. The company warns that other portions of the chain attack can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
It is curious to mention that last March, state-sponsored hacking groups were exploiting CVE-2020-0688, another vulnerability in Microsoft Exchange email servers. Then, in May, the Exchange server was attacked by the so-called Valar Trojan. The malware attack was targeting victims mainly in Germany and the USA. It was rated an advanced threat delivered to the vulnerable systems in a multi-stage way.