Microsoft says Beijing-backed hackers are exploiting four zero-day vulnerabilities in Exchange Server to steal data from defense contractors, law firms, and infectious disease researchers.
The Windows giant today issued patches for Exchange to close up the bugs, and recommended their immediate application by all. On-prem and hosted Exchange, from version 2013 to 2019, are vulnerable and need fixing up.
Microsoft’s corporate veep for customer security and trust Tom Burt named the miscreants “Hafnium,” said they operate in China though use US-based servers, and classified the cyber-spy team as “a highly skilled and sophisticated actor” that’s nation-state sponsored.
Burt said the snoops conduct a three-step attack:
- Gain access to an Exchange Server either using stolen passwords or by using zero-day vulnerabilities, and disguise themselves as a legitimate user.
- Control the compromised Exchange Server remotely using a web shell.
- Use the resulting remote access, from servers located in America, to exfiltrate internal data.
The Chinese spies have in their arsenal four zero-day bugs to break into vulnerable Exchange installations; they are, according to Microsoft:
We note that Microsoft recommends “prioritizing installing updates on Exchange Servers that are externally facing.”
Malware attack that crippled Mumbai’s power system came from China, claims infosec intel outfit Recorded Future
Security consultancy Volexity, which Microsoft credits with having helped it uncover two of the bugs, has posted its account of the incidents that led it to alert the tech goliath.
Volexity said it noticed unusual activity on clients’ Exchange Servers in January 2021 and upon investigation spotted “a large amount of data being sent to IP addresses it believed were not tied to legitimate users.
Redmond also thanked Orange Tsai from the DEVCORE research team, Dubex, and its own Microsoft Threat Intelligence Center for discovering and reporting the holes. Microsoft named cloud file locker Mega.nz, a service founded by the Kim Dotcom, as one of Hafnium’s preferred destinations for exfiltrated data.
While the zero-day attacks don’t work against cloudy Exchange, users of Microsoft’s cloud messaging services need to be careful because the IT giant says it has seen Hafnium “interacting with victim Office 365 tenants.”
“While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” Microsoft stated.
Patch ASAP but log in as an Admin. Tweak port 443 and cross your fingers if you can’t patch
Microsoft has linked to and provided installation instructions for the patches here. Unsurprisingly, Microsoft recommends rapid patching, but if that’s going to be a problem in your environment, the super-corp’s security experts offer some relief.
An advisory states: “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”
However, the memo also warns: “This mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
The perils of non-disclosure? China ‘cloned and used’ NSA zero-day exploit for years before it was made public
There’s a little more relief to be had from the fact that Microsoft’s patches replace the February 9 security update for Exchange Server 2019, so if you’re a little behind, that wasn’t the worst update to have delayed.
But if you patch, do so carefully because the software titan warns that if you’re not logged in as an administrator, some files will not be correctly installed, and you won’t be notified of the problem. You’ll know you’ve done it wrong if Outlook on the web and the Exchange Control Panel stop working. But they don’t always stop.
So good luck with that one.
This page also offers details on how to detect if your environment has been compromised by Hafnium.
Microsoft says it has notified the US government of the attacks. Which means the Biden administration now has the attributed-to-Russia SolarWinds backdoor fiasco as well as the attributed-to-China Hafnium horror on its plate. SolarWinds is thought to have been compromised for up to three years. But Microsoft hasn’t said how long Hafnium has been active. ®