Microsoft has fixed four zero-day vulnerabilities in Exchange Server. They are said to have been abused by Chinese spies to steal data from American defense contractors, law firms and infectiologists.
Microsoft has discovered several zero-day exploits in Microsoft Exchange Server that have been used in a number of targeted attacks against US victims. Microsoft writes that in a security blog. The vulnerabilities gave the attackers access through on-premise Exchange servers running versions 2013 to 2019, and thus access to email accounts, after which they could install malware. Microsoft is urging users to install a patch as soon as possible .
Microsoft attributes the exploits ‘with great certainty’ to the Chinese hacker group Hafnium. This is a group linked to the Chinese government that actively focuses on stealing data from American individuals who work, among other things, at law firms, in higher education, political think tanks and non-profits. The group also focuses on defense contractors and infectiologists. Hafnium primarily operates from rented virtual private servers in the US, Microsoft says.
In this case, four zero-days were discovered that have been actively abused. Vulnerability CVE-2021-26855 allowed attackers to send arbitrary HTTP requests and impersonate an Exchange server. CVE-2021-26857 gave the attackers the ability to run high-privileged code on an Exchange server, requiring the hackers to have full admin access or taking advantage of the previous vulnerability. With vulnerabilities CVE-2021-26858 or CVE-2021-27065 , the hackers were given the ability to write files to any place on the Exchange server they wanted.
The hackers worked in three steps, according to Microsoft. First, they gained access to on-premise Exchange servers by exploiting these vulnerabilities or using stolen passwords. Hafnium was then able to set up web shells on the Exchange servers, after which the hackers could take over remote management of the server.
The hackers then managed to steal data and install malware. The hackers also managed to download complete address books, after which they were given information about organizations and users. Microsoft says it has notified the US government of the attacks.
Security firm Volexity discovered two of the vulnerabilities in January after discovering that a large amount of data was being sent to suspicious IP addresses. At first Volexity thought it was using a backdoor, but soon the company found out that it involved multiple zero days. No authentication is required for abuse of one of the zero days.
An attacker only needs to know which server is running Exchange and from which email address it wants to steal data. In a blog , the company explains in detail how the vulnerabilities could be exploited.
