The latest in a series of security-related headaches for Microsoft, the company ADVISED customers on Tuesday that Chinese-sponsored hackers exploited flaws in one of its widely used e-mail products, Exchange, to target US companies for data theft.
In several recent blog posts, the company listed four new discoveries zero day vulnerabilities associated with the attacks as well PATCHES and a list of compromise indicators. Exchange users were urged to upgrade to avoid being hacked.
Microsoft researchers have called the main group of hackers behind the attacks “HAFNIUM”, describing him as a “highly skilled and sophisticated actor” focused on spying on data theft. In previous campaigns, HAFNIUM is known to target a wide variety of entities across the United States, including “infectious disease researchers, law firms, higher education institutions, defense contractors, political think tanks and NGOs,” they said. They.
In the case of Exchange, these attacks meant the leaking of data from e-mail accounts. Exchange Works with Email clients such as Microsoft Office, synchronize updates to devices and computers and is widely used by companies, universities and other large organizations.
G / O Media may receive a commission
The attacks on the product were as follows: hackers will use zero days to gain access to an Exchange server (sometimes they also used compromised credentials). Then they will usually implement a web shell (a malicious script), hijacking the remote server. Hackers can then steal data from an associated network, including entire tranches of emails. The attacks were carried out on private servers in the United States, according to Microsoft.
Tom Burt, Microsoft’s vice president of customer security, said Tuesday that customers should work quickly to update the associated security flaws:
Even though we have worked quickly to implement an update for Hafnium operations, we know that many nationwide actors and criminal groups will move quickly to take advantage of any imperfect system. Prompt application of today’s patches is the best protection against this attack.
The situation was initially brought to the attention of Microsoft by researchers from two different security companies, Volexity and Dubex. Conformable KrebsOnSecurity, Volexity initially found evidence of intrusion campaigns on January 6th a blog post On Tuesday, Volexity researchers helped break down the harmful activity in one case:
By analyzing system memory, Volexity determined that the attacker exploited a server-side zero-day vulnerability (SSRF) in Microsoft Exchange (CVE-2021-26855). The attacker used the vulnerability to steal the full contents of several users’ mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require special knowledge or access to a target environment. The attacker just needs to know the server running Exchange and which account they want to extract the emails from.
These recent hacking campaigns – which Microsoft said are “limited and targeted” in nature – are not associated with the ongoing “SolarWinds” attacks. the technology giant is also currently involved. The company did not say how many organizations were successfully targeted or compromised by the campaign, although other threat actors besides HAFNIUM may be involved. Microsoft says it has informed federal authorities about the incidents.