Microsoft: Chinese APT Targeted Exchange Servers With Four Zero-Days

Technology giant Microsoft released emergency security updates today for its Exchange email server to patch four zero-day vulnerabilities that were exploited by a Chinese state-sponsored hacking group.

Named Hafnium, Microsoft said the group has a history of targeting internet-facing servers as an entry point into its targets' internal networks.

In past attacks, the group has primarily targeted entities in the United States, such as infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Its most recent wave of attacks took place this year and have involved the use of four previously unknown Exchange bugs.

Zero-days were part of an attack chain

In reports published today by both Microsoft and security firm Volexity, the companies said that Hafnium operators used the four Exchange zero-days as part of a multi-part attack chain to bypass authentication procedures, gain admin privileges, and then install an ASPX web shell on the compromised servers.

Once attackers had a foothold inside an organization's Exchange server, they proceeded to export the content of email inboxes and address books and upload the data to a remote server.

It's these suspicious uploads that Volexity said it detected on the Exchange servers of two of its customers. A subsequent investigation discovered ongoing attacks, and the security firm said it reported its findings to Microsoft. Volexity also said it tracked down attacks going as far back as January 2021. Microsoft also said it received a second report about the attacks from Danish security firm Dubex.

Earlier today, Microsoft has released patches for the four zero-days exploited in the attacks (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), but also for three other Exchange bugs (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412) it discovered during the subsequent investigation.

The OS maker said that only Exchange email servers installed on customer premises were vulnerable and that Exchange Online systems were not vulnerable.

While neither Microsoft nor Volexity disclosed the targets of these recent attacks, in a blog post today, Tom Burt, Microsoft Corporate Vice-President of Consumer Trust and Safety, said they've "briefed appropriate U.S. government agencies on this activity."