grandeduc - Fotolia

Microsoft Exchange Server zero-days exploited in the wild

Both the Cybersecurity and Infrastructure Security Agency and National Security Agency advise patching the Exchange Server zero-days immediately.

A nation-state threat actor has been exploiting Microsoft vulnerabilities for at least two months.

Microsoft patched four zero-day vulnerabilities Tuesday that were found in its on-premises versions of Microsoft Exchange Server. According to Microsoft's blog post disclosing the zero-days, the vulnerabilities are being exploited in "limited and targeted attacks" attributed to a Chinese state-sponsored threat actor dubbed Hafnium by Microsoft.

"Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures," the blog post read.

Microsoft credited vendors Volexity and Dubex for reporting the attack chain and collaborating with the tech giant. In a blog post, Volexity dated the attacks back to at least January of this year.

The four vulnerabilities affecting on-premises versions of Exchange Server are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

CVE-2021-26855 (CVSS 3.0 base score of 9.1) is a server-side request forgery vulnerability; CVE-2021-26857 (CVSS 3.0 base score of 7.8) is an insecure deserialization vulnerability affecting unified messaging; and both CVE-2021-26858 and CVE-2021-27065 (each carry a CVSS 3.0 base score of 7.8) are "post-authentication arbitrary file write" vulnerabilities.

According to the blog post, Hafnium "primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs."

Regarding the current campaign, Microsoft described Hafnium's actions against victims post-exploit.

"After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise," it read. The blog post also included further technical information as well as indicators of compromise.

Microsoft did not respond to SearchSecurity's request for an estimated victim count.

Both the Cybersecurity and Infrastructure Security Agency and the National Security Agency's cybersecurity Twitter accounts advised immediate patching in notices sent via Twitter:

Chinese nation-state threat actors remain an ongoing threat. One Chinese APT was recently identified for cloning and using a U.S. government cyberweapon against its targets and another Chinese nation-state group has been reportedly targeting Indian critical power infrastructure.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Timeline of Microsoft Exchange Server attacks raises questions

The wide web of nation-state hackers attacking the US

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing