Microsoft has been forced to release out-of-band patches to fix multiple zero-day vulnerabilities being exploited by Chinese state-backed threat actors.
The unusual step was taken to protect customers running on-premises versions of Microsoft Exchange Server.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” Microsoft said.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
The four zero-days are: server-side request forgery bug CVE-2021-26855, post-authentication arbitrary file write flaws CVE-2021-27065 and CVE-2021-26858, and CVE-2021-26857, which is an insecure deserialization vulnerability in the Unified Messaging service.
Combined, the vulnerabilities could allow attackers to authenticate as the Exchange server, run code as System and write a file to any path on the server. After exploiting the four bugs, the attackers are said to deploy web shells which allow them to steal data and perform additional malicious actions to further compromise their targets.
Hafnium actors usually work from leased virtual private servers in the US, primarily targeting sectors in the country such as infectious disease research, legal, higher education, defense, policy think tanks and NGOs, according to Microsoft.
“Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, Hafnium typically exfiltrates data to file sharing sites like Mega,” it said.
“In campaigns unrelated to these vulnerabilities, Microsoft has observed Hafnium interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.”