3 March 2021

Microsoft patches 4 Exchange 0days actively exploited by Chinese hackers


Microsoft patches 4 Exchange 0days actively exploited by Chinese hackers

Microsoft has released a set of out-of-band security updates for it Exchange Server enterprise email product to fix a total of four zero day vulnerabilities that have been actively exploited in real-world attacks.

The vulnerabilities in question are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. All of them are described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.

The affected Exchange Server versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019. Microsoft Exchange Online is not impacted.

The culprit behind the attacks appears to be a China-linked state-sponsored hacker group known as Hafnium. Microsoft says the this APT primarily targets entities in the United States with the goal of stealing information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. Although the group is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.

According to Microsoft and security firm Volexity that published its own report on the attacks, the above mentioned flaws were used as part of an attack chain. The attacker exploited these vulnerabilities to gain initial access to the target systems and install an ASPX web shell on the compromised servers, which allowed them steal data and perform additional malicious activities.

“Hafnium operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users,” Microsoft added.

Volexity says it detected suspicious activity from two of its customers’ Microsoft Exchange servers in January 2021, which led to discovery of the attacks.

The Windows maker urges all customers to apply security patches for Exchange Server 0days as soon as possible.

Back to the list

Latest Posts

New Chinese-speaking cyberespionage group targets high-profile victims in Southeast Asia

New Chinese-speaking cyberespionage group targets high-profile victims in Southeast Asia

Dubbed GhostEmperor, the threat actor has been observed using a never-before-seen Windows kernel-mode rootkit.
2 August 2021
APT29 still actively serving WellMess malware used in cyberespionage campaign targeting COVID-19 vaccine research

APT29 still actively serving WellMess malware used in cyberespionage campaign targeting COVID-19 vaccine research

Researchers discovered more than 30 command-and-control servers under control of APT29 that were delivering WellMess.
2 August 2021
SolarWinds hackers compromised email accounts of employees at 27 US Attorneys' offices

SolarWinds hackers compromised email accounts of employees at 27 US Attorneys' offices

The hackers are believed to have had access to compromised accounts from approximately May 7 to December 27, 2020.
2 August 2021