Skip to content

Illustration by Security Management

Microsoft Urges Customers to Patch to Mitigate Effect of Latest 0-Day Exploits

While security professionals are continuing to address the fallout from the SolarWinds breach, Microsoft announced this week that it had detected several 0-day exploits being used to attack versions of Microsoft Exchange Server.

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” according to a blog post by Microsoft’s 365 Defender Threat Intelligence Team. 

Microsoft urged customers to update their on-premises systems immediately and said that Exchange Online was not impacted by the exploits.

“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem,” Microsoft said.

White House National Security Advisor Jake Sullivan reiterated Microsoft’s suggestion, tweeting that the Biden administration was “closely tracking” the patch and “reports of potential compromises of U.S. think tanks and defense industrial base entities.”

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing agencies to take action to mitigate the effects of the 0-day exploits.

Under the directive, federal civilian agencies must identify all instances of on-premise Microsoft Exchange Servers in their environment. Then, those with the capability to do so, are required to “forensically triage artifacts using collection tools” and examine those artifacts for indications of compromise or unusual behavior. Agencies that do not detect compromise are required to install the Microsoft patches; those that do detect compromise must take additional actions to mitigate the exploits and report their status to CISA. 

Cybersecurity firm Volexity first detected and alerted Microsoft to the activity that led to the discovery of the 0-day exploits. Through its analysis, Volexity determined that attackers were using a vulnerability to “steal the full contents of several user mailboxes,” according to a write-up. “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.” 

In response to the detected activity, cybersecurity firm FireEye wrote on its blog that it created threat hunting campaigns to identify additional Exchange Server abuse. 

“Based on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm,” FireEye said. “Related activity may also include a Southeast Asian government and Central Asian telecom.”

CyberScoop reports that the email systems of the city of Prague and the Czech Republic’s Labour Ministry were impacted by the exploits. 

“The Czech Office for Cyber and Information Security confirmed it is responding to attacks caused by the 0-days, while Norway’s National Security Authority also warned victims were cropping up in Norway earlier this week,” according to CyberScoop.

Microsoft has attributed the campaign with “high-confidence” to HAFNIUM, a state-sponsored group operating out of China that is focused on targeting infectious disease researchers, higher education institutions, defense contractors, policy think tanks, and others in the United States.

“HAFNIUM has previously compromised victims by exploiting vulnerabilities in Internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,” Microsoft explained. “Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

In a blog post, Microsoft’s Corporate Vice President, Customer Security & Trust, Tom Burt wrote that Microsoft has no evidence of HAFNIUM targeting individual consumers or that the exploits impact other Microsoft products.

“This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting COVID-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences,” Burt explained.

When asked about HAFNIUM’s activity, a spokesperson for the Chinese Embassy in Washington emailed NBC News and directed the outlet to comments made by Wang Wenbin. 

“We hope that relevant media and company will adopt a professional and responsible attitude and underscore the importance to have enough evidence when identifying cyber-related incidents, rather than make groundless accusations,” Wenbin said.

Microsoft said that this activity is not related to the SolarWinds breach, which also impacted some Microsoft customers. The level of access both compromises gave threat actors to victims’ systems, however, poses similar security risks and will take considerable time to assess and recover from.

“Neither SolarWinds nor the HAFNIUM attacks have stopped, meaning the very concept of cleanup, at least broadly, remains a distant dream,” according to analysis from WIRED. “It’s like trying to mop up an actively gushing oil tanker.”