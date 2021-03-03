Infosecurity Group Websites
Latest
News

Microsoft Patches Four Zero-Day Exchange Server Bugs

Microsoft has been forced to release out-of-band patches to fix multiple zero-day vulnerabilities being exploited by Chinese state-backed threat actors.

The unusual step was taken to protect customers running on-premises versions of Microsoft Exchange Server.

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” Microsoft said.

“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

The four zero-days are: server-side request forgery bug CVE-2021-26855, post-authentication arbitrary file write flaws CVE-2021-27065 and CVE-2021-26858, and CVE-2021-26857, which is an insecure deserialization vulnerability in the Unified Messaging service.

Combined, the vulnerabilities could allow attackers to authenticate as the Exchange server, run code as System and write a file to any path on the server. After exploiting the four bugs, the attackers are said to deploy web shells which allow them to steal data and perform additional malicious actions to further compromise their targets.

Hafnium actors usually work from leased virtual private servers in the US, primarily targeting sectors in the country such as infectious disease research, legal, higher education, defense, policy think tanks and NGOs, according to Microsoft.

“Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, Hafnium typically exfiltrates data to file sharing sites like Mega,” it said.

“In campaigns unrelated to these vulnerabilities, Microsoft has observed Hafnium interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Scammers Selling Fake #COVID19 Vaccination Cards for Just $20

2
News

CrowdStrike Slams Microsoft Over SolarWinds Hack

3
News

Universal Health Services Estimates $67 Million in Ransomware Losses

4
News

Go Malware Detections Increase 2000%

5
News

United Airlines to Pay $49m to Settle False Data Claim

6
Opinion

SOC 1, 2, & 3 Audit Reports, and Why You Need One

1
News

Telemarketing Biz Exposes 114,000 in Cloud Config Error

2
News

Password Reuse at 60% as 1.5 Billion Combos Discovered Online

3
Webinar

The Vulnerability Landscape: Security Trends from 2020

4
News

Microsoft Patches Four Zero-Day Exchange Server Bugs

5
News

BlueVoyant Appoints James M. Aquilina as Advisor

6
News

Satanic Temple Loses Cyber-squatting Lawsuit

1
Webinar

Hybrid Working Has Accelerated Cloud Application Adoption: What About Security?

2
Webinar

Staying Secure During Rapid Transformation: The Importance of DevSecOps

3
Webinar

Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms

4
Webinar

PKI in Today's Cybersecurity Landscape: What, Why and How

5
Webinar

Security Mythbusting: Dismantling the Top Five API Myths

6
Webinar

SOC for the Future: Transforming Security Operations' Speed and Stamina for Recovery

1
Online Summit

Infosecurity Magazine Spring Online Summit - EMEA 2021

2
Blog

The Future of Crypto and Casinos

3
Webinar

Becoming a Next-Gen CISO: Leading from the Front

4
Opinion

Answering the Inherent Cyber-Challenges of Teleoperation

5
Online Summit

Infosecurity Magazine Spring Online Summit - North America 2021

6
Blog

Healthcare Carries a Large Target for Ransomware