US government orders to shutdown or patch Microsoft exchange servers to protect from Chinese hackers

Through the Cybersecurity and Infrastructure Security Agency (CISA), the US National Homeland Security (NHS) issued an alert to require federal agencies to update or disable Microsoft Exchange products used in their internal networks. CISA released this emergency alert after Microsoft revealed the correction of four zero-day flaws detected in this product.

The Agency mentions that successful exploitation of these failures allows threat actors to access local Exchange servers, giving them an access point to control an entire network: “We strongly recommend that federal agencies examine their networks for signs of malicious activity; if no indicators of compromise are found, agencies will need to proceed by applying the security patches released by Microsoft,” CISA says.

Federal U.S. agencies should analyze your IT infrastructure if any of the following indicators are detected:

  • Presence of web shellcode on a compromised on-premises Microsoft Exchange server
  • Unauthorized access or use of accounts
  • Evidence of side-moving attacks on compromised systems
  • Unauthorized access indicators

Just a few days ago, Microsoft revealed the detection of multiple incidents of exploitation of these failures, all linked to Hacking Groups sponsored by China. These attacks target organizations in the United States in multiple business sectors in order to extract sensitive information.

On the groups responsible for the attack, Microsoft would have attributed it to the group identified as APT27, also known as Bronze.

In addition, Microsoft claims that at least other unidentified hacking groups have collaborated with these attacks. Cybersecurity experts mention that one of these groups is HAFNIUM, specializing in the commitment of Exchange deployments.

Microsoft Exchange’s active zero-day exploitation was first detected on January 6, 2021, as mentioned by information security specialists from the tech firm Volexity. On the other hand, Microsoft recommends that administrators of vulnerable deployments update immediately to prevent the risk of exploitation.

Hacking groups sponsored by state actors are one of the main cybersecurity threats, as they have sufficient economic and technical resources to deploy complex hacking campaigns, so private and public organizations require updated information on this security risk and how to prevent it. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.