Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Microsoft’s Cloud Services such as Exchange Online and Office 365 are not affected.
According to researchers at Volexity, the attacks would seem to have started back on January 6. "The attacker was using the vulnerability to steal the full contents of several user mailboxes," a Volexity blog posting states. The same researchers found the vulnerability to be remotely exploitable without any authentication needed. Indeed, they determined that all an attacker needs to know is "the server running Exchange and the account from which they want to extract e-mail."
How You Can Protect Yourself And Your Organization:
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately.
Microsoft has already released an updated script that scans Microsoft Exchange log files for indications of compromise (IOCs) associated with these vulnerabilities. Visit the United States Cybersecurity & Infrastructure Security Agency’s web site for details on the IOC detection tool script.