KEY POINTS

  • The patch addresses exploits used in targeted attacks
  • Hackers exploit four distinct zero-day vulnerabilities of the Exchange Server

To prevent highly skilled hackers from exploiting the vulnerabilities of the Exchange Server, Microsoft has urged its users to install the recently released emergency patch as soon as possible.

The update assumes significance as China-based hackers' group, Hafnium, recently used unknown exploits to hack a fully patched on-premise exchange server. 

Reports say that Hafnium is a state-sponsored, highly sophisticated threat actor. It conducts operations from leased virtual private servers in the United States and target entities in the country. Among its goals is to penetrate infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, ARS Technica reported. 

On Tuesday, Microsoft Corporate Vice President of Customer Security & Trust Tom Burt wrote in a post that the best protection against the attack is to apply the latest patch promptly.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Burt said.

In the post published entitled “New nation-state cyberattacks,” Burt named the four distinct zero-day vulnerabilities. He listed CVE-2021-26855, a server-side request forgery (SSRF) vulnerability, CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service, CVE-2021-26858, a post-authentication arbitrary file write vulnerability, and the CVE-2021-27065, a post-authentication arbitrary file write vulnerability.

Burt also elaborated how they observed Hafnium executed the series of Exchange Server attacks. He said the group accessed Exchange Server through a stolen password or used previously undiscovered vulnerabilities and disguised them to gain access.

The team later remotely controlled the compromised server by creating a web shell. The attackers completed the exploit by stealing data from an organization by using the remote access running from the US-based private servers.

As of now, the vulnerabilities affect Microsoft Exchange Server versions 2013, 2016and 2019. According to the Microsoft Security Response Center, Exchange Online is not affected and version 2010 will receive an update for Defense in Depth purposes.

“We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated,” the company urged users through the published post.

Microsoft said the so-called SolarWinds hackers penetrated deeper into its network than previously thought but were unable to make any changes to the tech giant's software code Microsoft said the so-called SolarWinds hackers penetrated deeper into its network than previously thought but were unable to make any changes to the tech giant's software code Photo: AFP / DENIS CHARLET