Microsoft Exchange targeted by China-linked hackers

IT admins have been urged to urgently patch on-premise Exchange Server systems

Microsoft’s Exchange mail servers have been targeted by a group of state-backed hackers operating out of China, according to the tech giant.

The threat actors took advantage of four previously-undetected zero-day vulnerabilities in its software that allowed hackers to access servers for Microsoft Exchange. These flaws were labelled CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Microsoft’s latest Security Response Center (MSRC) release.

The company said that it believes the attacks were carried out by the Hafnium group, which Microsoft described as “state-sponsored and operating out of China, based on observed victimology, tactics and procedures”.

Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, said that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

According to Burt, the threat actors carry out the attack in three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely.

Related Resource

How to improve cyber security for remote working

13 recommendations for security from any location

How to improve cyber security for remote working - whitepaper from MimecastDownload now

"Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network."

Microsoft advised customers to update on-premises Exchange Server 2013, 2016 and 2019 systems immediately, adding that Exchange Online hadn’t been affected and that the attacks are in "no way connected to the separate SolarWinds-related attacks”. The company has been under intense scrutiny since it was found that an exploit in Microsoft 365 was used by SolarWinds hackers to access government and the private sector information, including MalwareBytes’ internal emails.

However, Microsoft maintained that it continues “to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”. 

Burt added that the Hafnium group-led attack is the eighth case in the last 12 months of a nation-state group targeting critical institutions to be disclosed by Microsoft.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

NSA and CISA publish guidance on hardening Kubernetes following cloud infrastructure cyber attacks
Security

NSA and CISA publish guidance on hardening Kubernetes following cloud infrastructure cyber attacks

4 Aug 2021
McAfee’s zero trust solution strengthens private applications’ security
cyber security

McAfee’s zero trust solution strengthens private applications’ security

3 Aug 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

3 Aug 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021
Square to acquire Afterpay for $29 billion
mergers and acquisitions

Square to acquire Afterpay for $29 billion

2 Aug 2021