Microsoft had a warning for its customers on Tuesday, and it’s boldly calling out the bad actors. According to Microsoft, Chinese hackers are behind Exchange attacks. The company claims American businesses were targeted by exploits of a flaw in the email product.
Chinese Attackers Exploit Microsoft Exchange
Microsoft called attention to four zero-day vulnerabilities that were recently discovered. The company connected the Exchange attacks to patches and a list of compromise indicators.
Researchers with the company have labeled the hacking group as “HAFNIUM.” They explained the group is a “highly skilled and sophisticated actor” with a focus on espionage through data theft. HAFNIUM has been known to pursue several U.S. entities, including “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” according to the researchers.
The Exchange attacks have led to data exfiltration from email accounts. The hackers gain entry to an Exchange server by leveraging zero days. They often used a web shell and remotely hijack the servers. This allows them to steal data from an associated network. Microsoft said these attacks were launched from U.S.-based private servers.
Tom Burt, Microsoft corporate vice president of customer security, urged Exchange customers to quickly update the security flaws. “Even though we’ve worked quickly to deploy an update for the HAFNIUM exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” he said.
Researchers at two separate security firms, Volexity and Dubex, brought the Exchange attacks to the attention of Microsoft. The Volexity researchers found evidence of the attacks on January 6.
In a blog post, the researchers said, “Through its analysis of system memory, Volexity determined the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and what account from which they want to extract e-mail.”
Not Associated with “SolarWinds”
Microsoft has been getting it from all angles lately. They’re also entangled in the SolarWinds mess. But according to the company, the Exchange attack is not connected to Solar Winds.
It has not been announced how many businesses have been affected by the Exchange attacks. It’s also believed that HAFNIUM may not be acting alone and that there may be more involved. Federal authorities have been brought up to speed on the Exchange attacks.