Microsoft says it has detected multiple zero-day attacks against on-premise versions of Microsoft Exchange Server.
The company’s Threat Intelligence Center attributes the campaign with “high confidence” to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
The threat actor uses vulnerabilities to access on-premise exchange servers enabling access to email accounts and allowing installation of malware to facilitate long-term access to victim environments.
The tech giant named the vulnerabilities as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in a 2 March security update for Exchange Server.
“We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected,” the US company said.
“We are sharing this information with our customers and the security community to emphasise the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.
“This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers,” it added.
Microsoft said HAFNIUM primarily targets entities in the US across a range of sectors, particularly infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and non-government organisations (NGOs).
The hacker group has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, such as Covenant, for command and control, Microsoft said.
“Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file-sharing sites like MEGA,” it added.
The company noted the group operates primarily from leased virtual private servers in the US.
Microsoft thanked cyber-security companies Volexity and Dubex for reporting different parts of the latest attack chain and their collaboration in the investigation.
“It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread.”
Such action also improves security for all, said Microsoft.
Microsoft is the headline sponsor of PrivSec Global, a global live streaming experience taking place on 23-25 March