Microsoft Exchange targeted by China-linked hackers

Microsoft’s Exchange mail servers have been targeted by a group of state-backed hackers operating out of China, according to the tech giant.

The threat actors took advantage of four previously-undetected zero-day vulnerabilities in its software that allowed hackers to access servers for Microsoft Exchange. These flaws were labelled CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Microsoft’s latest Security Response Center (MSRC) release.

The company said that it believes the attacks were carried out by the Hafnium group, which Microsoft described as “state-sponsored and operating out of China, based on observed victimology, tactics and procedures”.

Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, said that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

According to Burt, the threat actors carry out the attack in three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely.

"Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network."

Microsoft advised customers to update on-premises Exchange Server 2013, 2016 and 2019 systems immediately, adding that Exchange Online hadn’t been affected and that the attacks are in "no way connected to the separate SolarWinds-related attacks”. The company has been under intense scrutiny since it was found that an exploit in Microsoft 365 was used by SolarWinds hackers to access government and the private sector information, including MalwareBytes’ internal emails.

However, Microsoft maintained that it continues “to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”.

Burt added that the Hafnium group-led attack is the eighth case in the last 12 months of a nation-state group targeting critical institutions to be disclosed by Microsoft.