The latest in a series of security-related headaches for Microsoft warned customers on Tuesday that China-sponsored hackers have been exploiting flaws in one of their widely used email products, Exchanges, in order to target US companies for data theft.
In several recently published blog posts, the company lists four recently discovered ones zero day vulnerabilities associated with attacks as well patches and a list of engagement indicators. Exchange users have been urged to upgrade to avoid being hacked.
Microsoft investigators have dubbed the main group of hackers behind the attacks as “HAFNIUM,” which describes him as a “highly skilled and sophisticated actor” focused on spying through data theft. In previous campaigns, HAFNIUM has been known to target a wide variety of entities across the United States, including “infectious disease researchers, law firms, higher education institutions, defense contractors, groups of policy and NGO reflection, ”they said.
In the case of Exchange, these attacks have resulted in the leaking of data from email accounts. Exchanges works with Email clients such as Microsoft Office, synchronizing device and computer updates, and is widely used by businesses, universities, and other large organizations.
G / O Media may receive a commission
Attacks on the product have developed like this: hackers will take advantage of zero days to access an Exchange server (sometimes they also use compromised credentials). They will typically deploy a web shell (a malicious script), hijacking the server remotely. Hackers can steal data from an associated network, including entire stretches of emails. The attacks were carried out from private servers based in the United States, according to Microsoft.
Tom Burt, Microsoft’s corporate vice president of customer security, said Tuesday that customers should work quickly to update the associated security flaws:
While we have worked quickly to deploy an update for Hafnium managements, we know that many nation-state actors and criminal groups will move quickly to take advantage of any patchless system. Quickly applying today’s patches is the best protection against this attack.
Investigators from two different security companies, Volexity and Dubex, originally drew attention to Microsoft’s situation. In accordance with KrebsOnSecurity, Volexity initially found evidence of intrusion campaigns on January 6th a blog post On Tuesday, Volexity investigators helped analyze the appearance of malicious activity in a specific case:
By analyzing the system memory, Volexity determined that the attacker was exploiting a zero-server server-side forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker used the vulnerability to steal the entire contents of several user mailboxes. This vulnerability is exploitable remotely and does not require any kind of authentication or require special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and which account they want to extract the email from.
These recent hacking campaigns (which Microsoft has said are “limited and targeted” by nature) are not associated with the ongoing “SolarWinds” attacks. currently the tech giant is also wrapped up. The company has not said how many organizations were targeted or successfully committed to the campaign, although other actors in the threats in addition to HAFNIUM may also be involved. Microsoft says it has informed federal authorities about the incidents.