“Chinese Hackers are now collaborating with state-sponsored operatives to plunder Exchange Servers,” according to Microsoft
This follows after Volexity first identified the attacks on January 5, forcing the Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security to issue a statement, two months later, advising consumers on the severity of the in-the-wild attacks perpetrated by a community group known as HAFNIUM.
Microsoft notified its customers that the attack focused on vulnerabilities in their products and services to access email addresses, retrieve information, and further install advanced malware. The statement emphasized that all consumers with on-premise Exchange servers upgrade immediately due to the attackers’ threat. However, Exchange Online was exempted from these upgrades since they didn’t appear affected by the bugs.
Something that seemed different from previous attacks launched by HAFNIUM this time is that they are focusing on four prominent exploits. Firstly, a server-side request forgery identified as (CVE-202126855) would be employed as an Exchange server. The CVE-2021-26857, a unified messaging service to systemize codes, followed by a double post-authentication arbitrary file writing vulnerability identified as CVE-2021-26858. Microsoft declared this a genius combination that could easily, upon successful execution, extract data from unnoticing Microsoft clients that use on-premise Exchange servers. Further, remote activation made the bug even more catastrophic as only the Exchange server and the address from where to retrieve emails are needed. “No authentication is required to execute the attacks.”
Volexity was applauded for bringing this issue to attention. Referring to a blog, they shared, “the cyber-spies exploited vulnerabilities to forge access to all features and contents of email addresses for all this entire time.” This sparked a heated conversation as many consumers expressed their surprise as to why Microsoft took too long, two months, to issue an upgrade. One commented, “the repercussions of this attack are far-reaching! Its awful that it took Microsoft two months to prepare an update while the attackers continued exploiting the existing vulnerabilities further!”
The vice-president of customer support at Microsoft, Tom Burt, restated that they were sure that it was HAFNIUM anchoring the zero-day vulnerabilities and targeted Americans as well as other regions. He further warned that the on-premise Exchange servers took too long to generate, but this doesn’t mean that they need someone with in-depth know-how to compromise them. “They only need to access through impersonation through CVE-2021-26855 and then generate a web shell to acquire a remote control of the server fully. This then gives the attacker a noble time to extract any data through this access. There’s a need to upgrade ASAP, though another mitigation involves “restricting unauthenticated connections or by setting up a VPN to isolate the Exchange server from external access.”
Tom Burt advised consumers that more crime syndicates would react fast to exploit every unpatched system despite working on a “business speed” to provide an emergency update against the Hafnium bug. This follows after the senior Microsoft Intelligence Analyst, Kevin Beaumont, warned that more bugs are expected in the future, meaning that this is something serious that needs immediate attention.
No evidence exists that these attacks are linked to the SolarWinds-related attacks, as similar bugs had been reported in other regions. This forced the US Department of Homeland Security to notice requiring all related federal agencies to install updates ASAP and comply with the statement before March 5.
We’re determined to collaborate with the affected organization”, said FireEye Mandiant’s Chief Technical Officer. He further emphasized that though upgrades seem an emergency solution, even the unaffected entities should do a background check to ascertain whether their systems have been compromised. “We recommend that organizations check their programs for signs of intrusion that could have occurred first before patches were installed in parallel to updating as quickly as possible.