Chinese hackers compromise thousands of Microsoft Exchange deployments

A security alert published by Microsoft mentions that a group of Chinese threat actors is deploying a zero-day flaw exploitation cyber spying campaign targeting Microsoft Exchange servers. This alert includes the release of emergency security patches to mitigate the risk of exploitation.

The tech company attributes this incident to a Chinese government-sponsored hacking group known as HAFNIUM, operating from US-hosted virtual private servers. This hacking group has been involved in multiple incidents detected in law firms, academic institutions, defense contractors and even non-government organizations.

Microsoft ensures that threat actors chained four zero-day vulnerabilities targeting Exchange Server (Outlook Web App). These flaws would have exposed Exchange users to remote code execution attacks without requiring authentication. The report also points to vulnerabilities exploited by hackers:

  • CVE-2021-26855: This server-side request forgery vulnerability in Exchange allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server
  • CVE-2021-26857: This unsecure deserialization flaw in the UNIFIED Messaging service allows malicious hackers to run code on the Exchange server such as SYSTEM, requiring administrator permissions and using other vulnerabilities
  • CVE-2021-26858: This is a post-authentication arbitrary file write flaw in Exchange. If HAFNIUM could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server
  • CVE-2021-27065: This post-authentication arbitrary file write flaw in Exchange would allow threat actors to authenticate to the target system by exploiting the CVE-2021-26855 vulnerability or credential compromised by a legitimate administrator

The compromise of exposed systems takes place in three stages: first, hackers gained access to an Exchange server. Subsequently, the attackers created a web shell to control the remotely compromised server to eventually abuse this remote access to intercept the affected system information. Attackers were also able to download Exchange offline address books from compromised systems. These documents contain information about the affected organization and its users, Microsoft added.

In a separate report, Microsoft mentions that HAFNIUM has also targeted users of the Office 365 suite: “Although successful attacks are not very common, this recognition activity helps threat actors identify the configurations of the analyzed environments and eventually launch more accurate attacks.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS).