Microsoft believes the recent attacks on its business email software was by the Chinese government-backed hacking group, HAFNIUM.
“Microsoft Threat Intelligence Centre (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,” reads a statement from the company.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed the installation of additional malware to facilitate long-term access to victim environments.”
The versions affected are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
“These vulnerabilities are significant and need to be taken seriously. They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet means that many organizations running an on-premises Exchange server could be at risk,” says Mat Gangwer, Senior Director of Sophos Managed Threat Response.
Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells. This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present.
“Organizations running an on-premises Exchange server should assume they are impacted, and first and foremost patch their Exchange devices and confirm the updates have been successful. However, simply applying patches won’t remove artefacts from your network that pre-date the patch. Organizations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralize the attack and remove the adversary from their networks.”