Chinese hackers exploited Microsoft messaging product to steal data

In the latest in a series of security headaches for Microsoft, the company warned customers on Tuesday that state-sponsored hackers from China exploit loopholes in one of its widely used email products, Exchange, in order to target US companies for data theft.

In several recently published blog posts, the company listed four new findings zero-day vulnerabilities associated with attacks, as well as patches and a list of indicators of compromise. Exchange users have been urged to update to avoid being hacked.

Microsoft researchers have dubbed the main hacker group behind the attacks “HAFNIUM”, describing it as a “highly skilled and sophisticated player” focused on espionage through data theft. In previous campaigns, HAFNIUM was known to target a wide variety of entities across the United States, including “infectious disease researchers, law firms, higher education institutions, defense contractors. , political think tanks and NGOs, ”they said.

In the case of Exchange, these attacks resulted in data exfiltration from email accounts. Exchange walk with email clients such as Microsoft Office, synchronizing updates with devices and computers, and is widely used by businesses, universities and other large organizations.

The attacks on the product went as follows: Hackers will use zero days to gain access to an Exchange server (they also occasionally used compromised credentials). They will then typically deploy a web shell (a malicious script), hijacking the server remotely. Hackers can then steal data from an associated network, including entire slices of email. The attacks were carried out from private servers based in the United States, according to Microsoft.

Tom Burt, vice president of Microsoft Corporate Security, said on Tuesday that customers should work quickly to update associated security vulnerabilities:

Even though we have been working quickly to roll out an update for Hafnium exploits, we know that many nation state actors and crime groups will act quickly to take advantage of any unpatched systems. Prompt application of today’s patches is the best protection against this attack.

The situation was initially brought to Microsoft’s attention by researchers at two different security companies, Volexity and Dubex. According to KrebsOnSecurity, Volexity initially found evidence of the intrusion campaigns on January 6. a blog post On Tuesday, Volexity researchers helped break down what malicious activity looked like in a particular case:

Through its analysis of system memory, Volexity determined that the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker used the vulnerability to steal the complete contents of multiple user mailboxes. This vulnerability can be exploited remotely and requires no authentication, no special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and which account he wants to extract the emails from.

These recent hacking campaigns – which Microsoft described as “limited and targeted” in nature – are not associated with the ongoing “SolarWinds” attacks which the tech giant is also currently involved in. The company did not say how many organizations were targeted or successfully compromised by the campaign, although threat actors other than HAFNIUM may also be involved. Microsoft claims to have informed federal authorities of the incidents.