Microsoft closes zero days in Exchange ‘used by Chinese hackers’

Microsoft has patched four zero-day vulnerabilities in Exchange Server. They were allegedly abused by Chinese spies to steal data from US defense contractors, law firms and infectiologists.

Microsoft has discovered several zero-day exploits in Microsoft Exchange Server that have been used in a number of targeted attacks against US victims. That writes Microsoft in a security blog. The vulnerabilities gave the attackers access through on-premise Exchange servers running versions 2013 to 2019, accessing email accounts, after which they could install malware. Microsoft is calling on users to install a patch as soon as possible.

Microsoft attributes the exploits “with great certainty” to the Chinese hacker group Hafnium. This is a group linked to the Chinese government and actively targeting data theft of American individuals who work in law firms, higher education, political think tanks and non-profits, among other things. The group also focuses on defense contractors and infectiologists. Hafnium mainly works from rented virtual private servers in the US, Microsoft says.

In this case, four zero-days were discovered that have been actively abused. Vulnerability CVE-2021-26855 allowed attackers to send arbitrary HTTP requests and impersonate an Exchange server. CVE-2021-26857 gave the attackers the ability to run code with high privileges on an Exchange server, where the hackers needed full admin access or by exploiting the previous vulnerability. With vulnerabilities CVE-2021-26858 or CVE-2021-27065, the hackers were given the ability to write files to anywhere on the Exchange server they wanted.

According to Microsoft, the hackers worked in three steps. First, they gained access to on-premise Exchange servers by exploiting these vulnerabilities or using stolen passwords. Hafnium was then able to set up web shells on the Exchange servers, after which the hackers could take over remote management of the server. The hackers then managed to steal data and install malware. The hackers also managed to download complete address books, after which they received information about organizations and users. Microsoft says it has informed the US government of the attacks.

Security firm Volexity discovered two of the vulnerabilities in January after it discovered a large amount of data was being sent to suspicious IP addresses. At first, Volexity thought that a backdoor was being used, but the company soon found out that it involved multiple zero days. Abuse of one of the zero days does not require any authentication at all. An attacker only needs to know which server Exchange is running and from which email address it wants to steal data. In a blog, the company explains in detail how the vulnerabilities could be exploited.