Microsoft Exchange Server Exploited by State-Sponsored Threat Actors

According to SC Media, Microsoft released patches Tuesday for four critical vulnerabilities Chinese hackers are using in targeted attacks on Microsoft Exchange Server.

In a series of three blog posts released Tuesday, Microsoft said targeted hacking from a group operating out of China that the company calls Hafnium, linked together chains of vulnerabilities to garner access.

Microsoft Exchange Server Exploited

“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem,” Microsoft noted in the blog post, which was provided to SC Media before release.

Microsoft was quick to caution that this hacking is unrelated to Solarigate.

The initial stage of the attack involves an untrusted connection to a target server over port 443, meaning that aspect of the attack could be mitigated by restricting untrusted connections or using a virtual private network to cordon off the server. But Microsoft warns that if the hackers have already breached the system, or if they can convince an administrator to open a malicious file, that mitigation will not work.

Hafnium is focused on stealing data from U.S. firms across a variety of industries, including infectious disease researchers, law firms, defense contractors, higher education, think tanks, and non-government organizations, said Microsoft. It stages attacks through leased virtual private servers in the United States, exfiltrating data through file-sharing sites like Mega.

“While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers in the United States,” according to Microsoft.

Vulnerable versions of Exchange Server include Microsoft Exchange Servers 2013, 2016 and 2019. Microsoft suggests patching these immediately.

The four vulnerabilities include CVE-2021-26855, a server-side request forgery vulnerability that allowed Hafnium to manipulate authentication. With that authentication, Hafnium could then use either of two file write vulnerabilities also patched today, CVE-2021-26858 and CVE-2021-27065.

The fourth vulnerability, CVE-2021-26857, is an insecure deserialization vulnerability in the Unified Messaging service that allowed the hackers to run code on exchange servers but required either an additional vulnerability or an administrator’s permission to run.

Given the fact many organizations utilize Microsoft products, SpearTip’s experts also recommend patching these vulnerabilities as soon as possible. Our Security Operations Center is working 24/7 to monitor client networks and stay up to date with the latest vulnerabilities. The sharing of vulnerabilities as soon as they’re discovered is crucial as threat actors are rushing to exploit them as they find them. Our ShadowSpear® Platform will notify our certified engineers of any malicious activity in environments and allow them to respond with confidence and precision.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.