The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive 21-02 that orders federal agencies to address zero day vulnerabilities in Microsoft Exchange, a popular email software program, that were reportedly exploited in a hacking campaign conducted by a China-linked threat actor.
Earlier this week, Microsoft released a batch of security updates to patch four zero day flaws affecting Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). All of them are described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.
The affected Exchange Server versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019. Microsoft Exchange Online is not impacted.
According to Microsoft, the vulnerabilities were used by a China-linked state-sponsored hacker group known as Hafnium as part of an attack chain aimed at stealing information from target networks. The attacker exploited these vulnerabilities to gain initial access to the target systems and install an ASPX web shell on the compromised servers, which allowed them steal data and perform additional malicious activities.
The “emergency directive” from CISA requires agencies to either apply security fixes for the vulnerabilities in the Microsoft Exchange Server software, or, if indications of compromise or anomalous behavior have been found, to disconnect Microsoft Exchange on-premises servers.
In a post on Twitter the Slovak cybersecurity firm ESET said that several advanced persistent threat (APT) groups, such as the Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso, are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks. ESET said it detected a few additional clusters of activity it has yet to identify.
“ESET telemetry shows that (at least) CVE-2021-26855 is actively exploited in the wild by several cyber-espionage groups. Among them, we identified LuckyMouse, Tick, Calypso and a few additional yet-unclassified clusters,” the company said. “Most targets are located in the US but we've seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities.”