Microsoft Exchange targeted by China-linked hackers

IT admins have been urged to urgently patch on-premise Exchange Server systems

Microsoft’s Exchange mail servers have been targeted by a group of state-backed hackers operating out of China, according to the tech giant.

The threat actors took advantage of four previously-undetected zero-day vulnerabilities in its software that allowed hackers to access servers for Microsoft Exchange. These flaws were labelled CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Microsoft’s latest Security Response Center (MSRC) release.

The company said that it believes the attacks were carried out by the Hafnium group, which Microsoft described as “state-sponsored and operating out of China, based on observed victimology, tactics and procedures”.

Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, said that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

According to Burt, the threat actors carry out the attack in three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely.

Related Resource

How to improve cyber security for remote working

13 recommendations for security from any location

How to improve cyber security for remote working - whitepaper from MimecastDownload now

"Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network."

Microsoft advised customers to update on-premises Exchange Server 2013, 2016 and 2019 systems immediately, adding that Exchange Online hadn’t been affected and that the attacks are in "no way connected to the separate SolarWinds-related attacks”. The company has been under intense scrutiny since it was found that an exploit in Microsoft 365 was used by SolarWinds hackers to access government and the private sector information, including MalwareBytes’ internal emails.

However, Microsoft maintained that it continues “to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”. 

Burt added that the Hafnium group-led attack is the eighth case in the last 12 months of a nation-state group targeting critical institutions to be disclosed by Microsoft.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021
Bridging the developer and security divide
Whitepaper

Bridging the developer and security divide

3 Dec 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
Access brokers are making it easier for ransomware operators to attack businesses
cyber security

Access brokers are making it easier for ransomware operators to attack businesses

1 Dec 2021