In the latest in a string of security-related headaches for Microsoft, the company warned customers Tuesday that state sponsored hackers from China have been exploiting flaws in one of its widely used email products, Exchange, in order to target American companies for data theft.
In several recently published blog posts, the company listed four newly discovered zero-day vulnerabilities associated with the attacks, as well as patches and a list of compromise indicators. Users of Exchange have been urged to update to avoid getting hacked.
Microsoft researchers have dubbed the main hacker group behind the attacks “HAFNIUM,” describing it as a “highly skilled and sophisticated actor” focused on conducting espionage via data theft. In past campaigns, HAFNIUM has been known to target a wide variety of entities throughout the U.S., including “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” they said.
In the case of Exchange, these attacks have meant data exfiltration from email accounts. Exchange works with mail clients like Microsoft Office, synchronizing updates to devices and computers, and is widely used by companies, universities, and other large organizations.
Attacks on the product have unfolded like this: hackers will leverage zero days to gain entry to an Exchange server (they also sometimes used compromised credentials). They then typically will deploy a web shell (a malicious script), hijacking the server remotely. Hackers can then steal data from an associated network, including whole tranches of emails. The attacks were conducted from U.S.-based private servers, according to Microsoft.
Microsoft Corporate Vice President of Customer Security Tom Burt said Tuesday that customers should work quickly to update associated security flaws:
Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.
The situation was originally brought to Microsoft’s attention by researchers at two different security firms, Volexity and Dubex. According to KrebsOnSecurity, Volexity initially found evidence of the intrusion campaigns on Jan. 6. In a blog post Tuesday, Volexity researchers helped break down what the malicious activity looked like in one particular case:
Through its analysis of system memory, Volexity determined the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and what account from which they want to extract e-mail.
These recent hacking campaigns—which Microsoft has said are “limited and targeted” in nature—are unassociated with the ongoing “SolarWinds” attacks that the tech giant is also currently embroiled in. The company hasn’t said how many organizations were targeted or successfully compromised by the campaign, though other threat actors besides HAFNIUM may also be involved. Microsoft says it has briefed federal authorities on the incidents.