Microsoft has released emergency security updates to its Exchange mail server that fix four zero-day vulnerabilities already exploited by Chinese hackers.
The Chinese government's APT Hafnium uses the victim's internet-connected servers as an entry point into its internal networks. Hafnium is known for its attacks on targets in the United States, including infectious disease researchers, law firms, higher education institutions, defense contractors, and nongovernmental organizations.
In a new wave of attacks this year, the group exploited four previously unknown vulnerabilities in Microsoft Exchange. According to Microsoft and Volexity , the cybercriminals exploited these vulnerabilities in a complex, multi-part attack to bypass authentication mechanisms, gain administrator privileges and install ASPX web shells on compromised servers.
Having gained access to the mail server of the attacked organization, the hackers exported the contents of e-mail boxes and address books to a remote server. The specialists of the information security company Volexity discovered the unloading of data from the mail servers of two of its clients. In a subsequent investigation, they uncovered the malicious Hafnium operation and notified Microsoft about it. In turn, Microsoft discovered four previously unknown vulnerabilities in its product and released emergency patches.
The issues affect only Exchange mail servers installed on-premises, not Exchange Online.
Neither Microsoft nor Volexity are disclosing the victims of the new malicious Hafnium operation, but Microsoft's vice president of consumer trust and safety, Tom Burt, said they "have informed the relevant US government agencies of the activity."