Microsoft Exchange targeted by China-linked hackers

IT admins have been urged to urgently patch on-premise Exchange Server systems

Microsoft’s Exchange mail servers have been targeted by a group of state-backed hackers operating out of China, according to the tech giant.

The threat actors took advantage of four previously-undetected zero-day vulnerabilities in its software that allowed hackers to access servers for Microsoft Exchange. These flaws were labelled CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Microsoft’s latest Security Response Center (MSRC) release.

The company said that it believes the attacks were carried out by the Hafnium group, which Microsoft described as “state-sponsored and operating out of China, based on observed victimology, tactics and procedures”.

Microsoft’s corporate VP of Customer Security & Trust, Tom Burt, said that “while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States”.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs,” he said, adding that the group “engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software”.

According to Burt, the threat actors carry out the attack in three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely.

Related Resource

How to improve cyber security for remote working

13 recommendations for security from any location

How to improve cyber security for remote working - whitepaper from MimecastDownload now

"Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network."

Microsoft advised customers to update on-premises Exchange Server 2013, 2016 and 2019 systems immediately, adding that Exchange Online hadn’t been affected and that the attacks are in "no way connected to the separate SolarWinds-related attacks”. The company has been under intense scrutiny since it was found that an exploit in Microsoft 365 was used by SolarWinds hackers to access government and the private sector information, including MalwareBytes’ internal emails.

However, Microsoft maintained that it continues “to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”. 

Burt added that the Hafnium group-led attack is the eighth case in the last 12 months of a nation-state group targeting critical institutions to be disclosed by Microsoft.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021
Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021
Study finds companies are mishandling cyber security recruitment
cyber security

Study finds companies are mishandling cyber security recruitment

28 Jul 2021

Most Popular

Salesforce's $28bn Slack acquisition: What's next for workplace collaboration?
collaboration

Salesforce's $28bn Slack acquisition: What's next for workplace collaboration?

22 Jul 2021
UK gun owners urged to be ‘vigilant’ after Guntrader data breach
data breaches

UK gun owners urged to be ‘vigilant’ after Guntrader data breach

23 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021