2 min read

Microsoft Issues Exchange Server Updates for Four 0-Day Vulnerabilities Used by Chinese Hafnium APT

Silviu STAHIE

March 03, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft Issues Exchange Server Updates for Four 0-Day Vulnerabilities Used by Chinese Hafnium APT

Microsoft has revealed a new state threat actor, named Hafnium, that’s been exploiting previously unknown zero-day vulnerabilities in the on-premises Exchange Server software.

A zero-day vulnerability is always a serious matter and usually a good-enough reason for companies to quickly address it with a patch. Microsoft found not one, but four such vulnerabilities in their Microsoft Exchange Server 2013, 2016 and 2019 solutions. The company released a so-called out-of-band update, meaning it was outside of the regular schedule.

Finding out about multiple zero-day vulnerabilities in a single product, with exploits in the wold, is an uncommon occurrence. When something like this happens, it’s usually the product of a major threat actor, often at the behest of nation-states.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks,” said Microsoft. “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

“The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server,” explained Microsoft.

The company attributed the campaign to a group they named HAFNIUM, which was assessed to be state-sponsored and operating out of China. The APT’s primary targets are in the United States but it has no preference for a particular industry, targeting infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

Their methods are not unlike what’s been observed before as the group uses stolen credentials or undiscovered vulnerabilities to pose as legitimate users. Once the hackers are in, they create a web shell to control the compromised server remotely. After they secure access to the network’s infrastructure, they begin stealing data.

While the company did issue patches to close the vulnerabilities, not all customers will be quick to install them. Microsoft warned users that, now with the vulnerabilities exposed, the group will likely intensify its attacks and hit companies before they have a chance to patch up their infrastructure.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content
Silviu STAHIE

January 21, 2022

1 min read
FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations
Filip TRUȚĂ

January 21, 2022

2 min read
Data of 500,000 already vulnerable people stolen from Red Cross Data of 500,000 already vulnerable people stolen from Red Cross
Radu CRAHMALIUC

January 20, 2022

1 min read