Microsoft Exchange targeted by China-linked hackers

IT admins have been urged to urgently patch on-premise Exchange Server systems

A laptop on a table with the Microsoft Exchange logo displayed

Microsoft’s Exchange mail servers have been targeted by a group of state-backed hackers operating out of China, according to the tech giant.

The threat actors took advantage of four previously-undetected zero-day vulnerabilities in its software that allowed hackers to access servers for Microsoft Exchange. These flaws were labelled CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Microsoft’s latest Security Response Center (MSRC) release.

The company said that it believes the attacks were carried out by the Hafnium group, which Microsoft described as “state-sponsored and operating out of China, based on observed victimology, tactics and procedures”.

Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, said that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

According to Burt, the threat actors carry out the attack in three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely.

Related Resource

Improving cyber security for remote working

13 recommendations for security from any location

Download now

"Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network."

Microsoft advised customers to update on-premises Exchange Server 2013, 2016 and 2019 systems immediately, adding that Exchange Online hadn’t been affected and that the attacks are in "no way connected to the separate SolarWinds-related attacks”. The company has been under intense scrutiny since it was found that an exploit in Microsoft 365 was used by SolarWinds hackers to access government and the private sector information, including MalwareBytes’ internal emails.

However, Microsoft maintained that it continues “to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”. 

Burt added that the Hafnium group-led attack is the eighth case in the last 12 months of a nation-state group targeting critical institutions to be disclosed by Microsoft.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021