Zero-day vulnerabilities affecting Microsoft Exchange are being actively exploited by HAFNIUM, a threat actor believed to be a nation state.
Anyone running on-premises Exchange Servers should patch them and search their networks for indicators of attack as a matter of urgency.
Early last week, Microsoft revealed that a China-based group called Hafnium has been launching cyberattacks against organizations by exploiting four zero-day vulnerabilities in on-premises versions of its Exchange Server software. The attacks are being carried out in three steps, according to Microsoft.
First, the group is able to gain access to an Exchange server either by using stolen account credentials or by using the vulnerabilities to masquerade as someone who should have access. Second, the group is able to control the compromised server remotely by creating a web shell, a piece of malicious code that gives attackers remote administrative access. Third, the group uses the remote access to steal data from an organization’s network.
The primary objective of Hafnium is to exfiltrate information from organizations in different industries, such as infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations. Though Hafnium is located in China, the group runs its malicious operations mainly through leased virtual private servers in the U.S., Microsoft said.
If you haven’t already patched the vulnerability, please do so using the below post made by the Microsoft Exchange product team:
If you need any assistance applying the patch to your on-premise Exchange server or would like us to check if you have been compromised by an external attacker call us on 08 9778 5500.