Microsoft just disclosed another major attack on its product that’s unrelated to the SolarWinds hack that impacted its system. This time around, it’s Microsoft Exchange that’s been breached, with attackers able to steal email contents from American companies. Microsoft says the attackers come from China, a group the company calls “Hafnium.” Microsoft says these are state-sponsored hackers who found and took advantage of four vulnerabilities in Microsoft’s email cloud service to extract sensitive data from email. Microsoft has patched the security issues, urging Exchange users to install the updates and avoid similar attacks.
Microsoft explained in a blog post that the attackers are “highly skilled and sophisticated.” They operate primarily from China, although they use virtual private servers in the US.
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
The hackers used zero-day vulnerabilities for targeting “on-premises Exchange Server software.” Once access was obtained, the hackers would steal data from emails:
The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
Microsoft says that Exchange Server versions 2013, 2016, and 2019 are impacted, but not Exchange Online — details on the patches are available at this link. Microsoft also published an extensive report about the four vulnerabilities, which includes methods to determine whether a company’s Exchange-based email was compromised.
Microsoft urges customers to deploy the fixes as fast as possible, as other hackers might attempt to take advantage of the 0-day hacks now that they’ve been disclosed.
The company credits security researchers from Volexity and Dubex for finding the Hafnium hacks. Volexity President Steven Adair told KrebsOnSecurity that the attacks were spotted on January 6th.
“These flaws are very easy to exploit,” Adair said. “You don’t need any special knowledge with these exploits. You just show up and say, ‘I would like to break in and read all their email.’ That’s all there is to it.”
The Hafnium attack isn’t part of the SolarWinds hack, however.
Microsoft confirmed in early January that the SolarWinds hackers breached its security and accessed sensitive source code from undisclosed products. The hackers did not obtain access to customer data, and Microsoft’s systems were not used to attack other targets, Microsoft said at the time. Russian hackers are believed to have initiated the SolarWinds attack.