If there’s one thing we’ve learned over the last year-plus of disruption, it’s that cybersecurity is a mission-critical priority for every business—and the goalposts and dangers are constantly moving and changing. And, our most reliable technology stacks are no exception, including Microsoft who yesterday released news of zero-day vulnerabilities being leveraged by hackers to attack on-premises versions of Microsoft Exchange Server. Exchange email servers make a provocative target due to the sheer volume of email information they hold about any given organization.
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.”
—Microsoft Tech Community Blog
What You Need to Know About the Zero-Day Exchange Vulnerabilities
Microsoft’s announcement came yesterday on the heels of immediately releasing updates to protect users and their organizations against four previously unknown or ‘zero-day’ Exchange Server vulnerabilities used in limited, targeted attacks.
Microsoft is urgently recommending that users apply the updates ASAP due to the critical rating and risks of the flaws. The zero-day flaws impacted Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.
Who is Involved and How It Happened
According to a Washington-based firm, Volexity, the attacks started around January 6th, 2021. Microsoft is attributing the attacks to a state-sponsored threat actor based out of China called Hafnium. These hackers exploited the bugs in on-premise Exchange servers to breach user email accounts. All four bugs are being actively tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
According to Volexity, the vulnerability CVE-2021-26855 was being used to gain access to the complete contents of several user mailboxes. The bug could be exploited remotely without any user authentication.
There is no connection between these hacks and the SolarWinds-related attacks and no evidence that the actor behind SolarWinds found or exploited any vulnerabilities in Microsoft products and services.
So, what can you do right now?
Microsoft is recommending that all clients apply the latest Exchange updates immediately. Some organizations may also be exploring Exchange Online the version of the exchange server that didn’t fall victim to these cybersecurity threats from state actors.
Protect your business from the latest threats.
Our security experts are here to help you get the most out of your secure, connected workforce. MicroAge is a Gold Microsoft partner—ready to help you protect your Microsoft environment while empowering greater collaboration and productivity.