On Tuesday, Microsoft stated that a hacking group backed by the Chinese government is reportedly using the security deficiencies in their common email system utilized by many American businesses.
In a blog post, Microsoft explained the details of the cyber hack:
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
The report explains that “Hafnium” is a group that mainly goes after U.S. organizations. The areas that it tends to target include “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Microsoft’s post goes on to say that this is not the first time Hafnium has struck vulnerable groups, adding that it “has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.
“In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.”
The report details that after Hafnium reached a preliminary entrance, its “operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.”
As reported by The Hill, Microsoft asked its customers to upgrade their Exchange Server in order to mend four vulnerable points in their program.
Tom Burt, Microsoft’s corporate vice president of customer trust and security, responded to the incident in a blog post, saying, “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”
Burt added, “This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.”
Referencing the recent SolarWinds hack that affected multiple government and private agencies and is believed to have been executed by Russia, Burt said that this hack was separate.
He explains, “The exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks. We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”
Microsoft also stated that it has briefed United States government officials on the most recent hack.