Dive Brief:
- Security researchers have identified a new campaign led by a sophisticated state-sponsored threat actor based in China, called Hafnium. The researchers, including Microsoft and security firm Volexity, allege the actor is behind a recent series of cyberattacks targeting on-premises Exchange server software to exfiltrate data from a number of U.S. companies and other organizations, according to a series of blogposts released Tuesday.
- The threat actors were recently observed using zero-day vulnerabilities or stolen passwords to gain access and create a web shell to take control of the compromised server. The threat actor has targeted U.S. infectious disease researchers, higher education institutions, defense contractors and policy think tanks, among others.
- Microsoft is encouraging all Exchange server customers to patch their systems with security updates it released on Tuesday. The company has alerted federal authorities about the attacks, according to Tom Burt, corporate vice president, customer security and trust at Microsoft, in a blogpost.
Dive Insight:
Microsoft is urging customers to install security updates into their systems because of concerns the vulnerability could be exploited. Hafnium has targeted organizations that use internet-facing servers and used legitimate open source frameworks like Covenant as a mechanism for command and control.
"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation state actors and criminal groups will move quickly to take advantage of any unpatched systems," Burt said in the post. "Promptly applying today's patches is the best protection against this attack."
He also emphasized that the current attack is completely unrelated to the cyber campaign that attacked SolarWinds.
Researchers from Huntress told Cybersecurity Dive that they have checked more than 2,000 Exchange servers and found more than 200 organizations compromised and have seen 350 web shells. Huntress is actively providing updates on what is has found.
"Some targets may have more than one web shell, potentially indicating automated deployment or multiple uncoordinated actors," said John Hammond, senior security researcher at Huntress said via email. "These endpoints do have antivirus or EDR solutions installed, but this has seemingly slipped past a majority of preventative security products."
He said the scope of the attacks appears to be wider that Microsoft earlier claimed, and the confirmed target list includes city and county governments, residential power providers, banks, healthcare providers to mom-and-pop stores.
Researchers at Volexity first observed suspicious activity on Jan. 6, when it found unusual activity involving Exchange Server activity at two of its customers. Large amounts of data were being sent to IP addresses that it says were not tied to legitimate entities.
An investigation found the attackers were exploiting a "zero day server side request forgery (SSRF) vulnerability in Microsoft Exchange" (CVE-2021-26855) in order to steal the full contents of several user mailboxes, according to the Volexity blogpost.
"This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment," according to the post. "The attacker only needs to know the server running Exchange and the account from which they want to extract email."
Researchers at Dubex were also credited with alerting Microsoft.
The vulnerability exists in the latest version of Exchange 2016 on fully patched Windows Server 2016, according to the post. The vulnerability is also found in Exchange 2019, however that has not been tested on fully patched versions.
Microsoft researchers said the other vulnerabilities include the following:
-
CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging Service. This allowed Hafnium to run code as SYSTEM on the Exchange server.
-
CVE-2021-26858 and CVE-2021-27065, which are post-authentication arbitrary write file vulnerabilities in exchange.
Microsoft posted guidance in June 2020 about how to defend Exchange servers that are under attack and earlier this month posted about the rise of web shell attacks.
The Chinese foreign ministry, when asked about the Microsoft allegations during a regular daily press conference session, said the claims were groundless and reiterated that China is opposed to cyber attacks.
Researchers at Check Point said last month that a China-affiliated group cloned and actively used a hacking tool developed by the Equation Group, a group with ties to the National Security Agency. The campaign was reported to Microsoft by security officials at Lockheed Martin, according to a blogpost by Check Point.