Microsoft Exchange Server zero days exploited in the wild

Stay informed about the latest enterprise technology news and product updates.

Both the Cybersecurity and Infrastructure Security Agency and National Security Agency advise patching the Exchange Server zero-days immediately.

A nation-state threat actor has been exploiting Microsoft Vulnerability for at least two months.

Microsoft patched four zero-day vulnerabilities Tuesday that were found in its on-premises versions of Microsoft Exchange Server. According to Microsoft’s blog post disclosing the zero-days, the vulnerabilities are being exploited in “limited and targeted attacks” attributed to a Chinese state-sponsored threat actor dubbed Hafnium by Microsoft.

“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,” the blog post reads.

Microsoft credited vendors Veloxity and Dubex for reporting the attack chain and collaborating with the tech giant. In a blog post, Veloxity dated the attacks back to at least January of this year.

The four vulnerabilities affecting on-premises versions of Exchange Server are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

CVE-2021-26855 (CVSS 3.0 base score of 9.1) is a server-side request forgery vulnerability; CVE-2021-26857 (CVSS 3.0 base score of 7.8) is an insecure deserialization vulnerability affecting unified messaging; and both CVE-2021-26858 and CVE-2021-27065 (each carry a CVSS 3.0 base score of 7.8) are “post-authentication arbitrary file write” vulnerabilities.

According to the blog post, Hafnium “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

Regarding the current campaign, Microsoft described Hafnium’s actions against victims post-exploit.

“After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise,” it reads. The blog post also includes further technical information as well as indicators of compromise.

Microsoft did not respond to SearchSecurity’s request for an estimated victim count.

Both the Cybersecurity and Infrastructure Security Agency and the National Security Agency’s cybersecurity Twitter accounts advised immediate patching in notices sent via Twitter:

Chinese nation-state threat actors remain an ongoing threat. One Chinese APT was recently identified for cloning and using a U.S. government cyberweapon against its targets and another Chinese nation-state group has been reportedly targeting Indian critical power infrastructure.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Microsoft Patch Tuesday and patch management

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips