If there’s one thing we’ve learned over the last year-plus of disruption, it’s that cybersecurity is a mission-critical priority for every business—and the goalposts and dangers are constantly moving and changing. And, our most reliable technology stacks are no exception, including Microsoft who yesterday released news of zero-day vulnerabilities being leveraged by hackers to attack on-premises versions of Microsoft Exchange Server. Exchange email servers make a provocative target due to the sheer volume of email information they hold about any given organization.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.”

—Microsoft Tech Community Blog

What You Need to Know About the Zero-Day Exchange Vulnerabilities

Microsoft’s announcement came yesterday on the heels of immediately releasing updates to protect users and their organizations against four previously unknown or ‘zero-day’ Exchange Server vulnerabilities used in limited, targeted attacks.

Microsoft is urgently recommending that users apply the updates ASAP due to the critical rating and risks of the flaws. The zero-day flaws impacted Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.

Who is Involved and How It Happened

According to a Washington-based firm, Volexity, the attacks started around January 6th, 2021. Microsoft is attributing the attacks to a state-sponsored threat actor based out of China called Hafnium. These hackers exploited the bugs in on-premise Exchange servers to breach user email accounts. All four bugs are being actively tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

According to Volexity, the vulnerability CVE-2021-26855 was being used to gain access to the complete contents of several user mailboxes. The bug could be exploited remotely without any user authentication.

There is no connection between these hacks and the SolarWinds-related attacks and no evidence that the actor behind SolarWinds found or exploited any vulnerabilities in Microsoft products and services.

‘In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers’ Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the servers might be backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter. As a result, Volexity started its incident response efforts and acquired system memory (RAM) and other disk artifacts to initiate a forensics investigation. This investigation revealed that the servers were not backdoored and uncovered a zero-day exploit being used in the wild.”

—Volexity Blog

So, what can you do right now?

Microsoft is recommending that all clients apply the latest Exchange updates immediately. Some organizations may also be exploring Exchange Online the version of the exchange server that didn’t fall victim to these cybersecurity threats from state actors.