In the latest in a series of security-related headaches for Microsoft, the company warned customers on Tuesday that state-sponsored China hackers have been exploiting flaws in one of their widely used email products, Exchangein order to target American companies for data theft.
In several recently published blog posts, the company listed four newly discovered zero-day vulnerabilities associated with attacks, as well as patches and a list of commitment indicators. Exchange users were urged to update to avoid being hacked.
Microsoft researchers dubbed the main group of hackers behind the attacks “HAFNIUM”, describing him as a “highly qualified and sophisticated actor” focused on espionage via data theft. In previous campaigns, HAFNIUM has been known to reach a wide variety of entities in the United States, including “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” they said. .
In the case of Exchange, these attacks meant exfiltration of data from email accounts. Exchange It works with email clients like Microsoft Office, synchronizing updates for devices and computers, and is widely used by companies, universities and other large organizations.
G / O Media can receive a commission
The attacks on the product went like this: hackers will take zero days to gain access to an Exchange server (sometimes they also used compromised credentials). Then, they typically deploy a web shell (a malicious script), hijacking the server remotely. Hackers can then steal data from an associated network, including entire snippets of e-mails. The attacks were conducted from private servers based in the United States, according to Microsoft.
Microsoft corporate customer security vice president Tom Burt said on Tuesday that customers should work quickly to update the associated security holes:
Although we have worked quickly to deploy an update for Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched system. Immediate application of today’s patches is the best protection against this attack.
The situation was originally brought to Microsoft’s attention by researchers from two different security firms, Volexity and Dubex. According KrebsOnSecurity, Volexity initially found evidence of the January 6 intrusion campaigns. a blog post On Tuesday, Volexity researchers helped to break the appearance of malicious activity in a specific case:
Through its analysis of system memory, Volexity determined that the attacker was exploiting a zero-day server-side request spoofing (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855) The attacker was using the vulnerability to steal the entire contents of multiple user mailboxes. This vulnerability can be exploited remotely and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know which server is running Exchange and which account he wants to extract the email from.
These recent hacker campaigns – which Microsoft said were “limited and targeted” in nature – are not associated with the ongoing “SolarWinds” attacks that the technology giant is also currently involved in. The company did not say how many organizations were successfully targeted or committed to the campaign, although other threat agents besides HAFNIUM may also be involved. Microsoft says it has informed federal authorities of the incidents.