Wed | Mar 3, 2021 | 3:18 PM PST

Zero-Day attacks appear out of the blue, and this week a discovery led to out of band security updates and an emergency directive by CISA.

Microsoft revealed the detection of multiple Zero-Day attacks that are in the wild and being used against versions of Microsoft Exchange Server in targeted attacks.

The company says the threat actor used vulnerabilities to access Exchange servers, enabling them to access email accounts and install additional malware to facilitate long-term access to the victim's environments.

The Microsoft Threat Intelligence Center (MSTIC) attributes the attack to HAFNIUM, a group believed to be state-sponsored and operating out of China. It has based this assessment on observed victimology, tactics, and procedures.

Microsoft explains why it decided to share this information:

"...to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem."

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) also issued an emergency directive and alert regarding the Microsoft Exchange vulnerabilities, and required U.S. government agencies to update their systems.

Who does the HAFNIUM hacking group target?

Microsoft says the HAFNIUM hacking group is backed by China, and researchers say the group primarily targets organizations in the U.S., across a wide variety of sectors. HAFNIUM's known attacks include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations (NGOs.)

How does a HAFNIUM cyberattack operate?

Researchers say HAFNIUM previously targeted victims by exploiting vulnerabilities in internet-facing servers, using legitimate open source frameworks for command and control.

Once the group has gained access to the victim's network, they will typically exfiltrate data to file sharing websites. Interestingly, HAFNIUM operates primarily from leased virtual private servers (VPS) in the U.S.

Microsoft has also observed HAFNIUM interacting with victim Office 365 tenants in campaigns unrelated to the current vulnerabilities.

In most previous cases, the group has been unsuccessful in compromising customer accounts. However, this has helped the Chinese backed hacking group gather more information about the target's environment.

CISA requires emergency action on Microsoft Exchange vulnerability

CISA issued an Emergency Directive to government agencies.

"CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise."

For more detailed and technical information regarding the situation, you can read Microsoft's statement on HAFNIUM targeting Exchange servers with 0-day exploits.

And here is the CISA Emergency Directive on Exchange Vulnerabilities. It is only the second Emergency Directive issued so far in 2021.

Can you guess the first one issued this year? If you thought it was for the the SolarWinds Orion attack, you are correct.

Comments