On Friday, Microsoft issued a grave warning regarding the active exploitation of vulnerabilities in unpatched Microsoft Exchange Servers affecting numerous organizations globally. The cyberattack campaigns reportedly compromise tens of thousands of businesses and government bodies across the United States, Europe, and Asia.
The company’s security team reported a significant escalation in these attacks, indicating that the targeting is no longer limited to specific organizations but rather widespread. Microsoft noted that various malicious actors, extending beyond the previously identified HAFNIUM group, are utilizing these vulnerabilities to exploit unpatched systems.
Independent cybersecurity journalist Brian Krebs revealed that at least 30,000 organizations in the U.S., primarily small businesses and local governments, have fallen victim to an aggressive campaign attributed to a suspected Chinese hacking group. Their primary objective has been to extract sensitive emails from affected organizations through undisclosed vulnerabilities in the Exchange Server.
Reports indicate that victims are also located outside the U.S., with companies in Norway, the Czech Republic, and the Netherlands experiencing similar breaches. The Norwegian National Security Authority has commenced vulnerability scans within the country to identify susceptible Exchange servers and has pledged to keep affected businesses informed.
This extensive cyber offensive surpasses the scale of the SolarWinds hacking incident, which notably affected up to 18,000 customers last December. As with the SolarWinds breach, it is likely that the attackers conducted preliminary reconnaissance to select high-value targets based on the capabilities of the victim machines.
Unpatched Exchange Servers Vulnerable to Exploitation
The exploitation of these vulnerabilities enables adversaries to gain unauthorized access to Microsoft Exchange Servers, facilitating the installation of web-based backdoors for long-term access. Various groups are employing these zero-day vulnerabilities to engage in different post-exploitation activities, tailored to their respective objectives.
A key vulnerability identified, CVE-2021-26855, also known as “ProxyLogon,” allows an attacker to bypass authentication on Microsoft Exchange Servers that accept untrusted connections externally. Additional vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—enable remote access following initial exploitation.
The Taiwanese cybersecurity firm Devcore flagged these vulnerabilities during a security audit and reported them to Microsoft in early January 2021. This suggests that the vulnerabilities may have resided in the code for over a decade, particularly given that Microsoft also issued patches for Exchange Server 2010.
The vulnerabilities were subsequently patched by Microsoft in an emergency update, but the company cautioned that numerous nation-state actors and criminal groups would likely exploit any remaining unpatched systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive advising agencies operating vulnerable versions of Exchange Server to either update their software or disconnect from their networks.
On March 6, CISA acknowledged widespread exploitation of these vulnerabilities, encouraging organizations to scan Exchange Server logs using Microsoft’s detection tools to assess possible compromises. Installing the provided patches does not resolve the risk for servers previously backdoored, making it crucial for organizations to thoroughly investigate and eliminate any lingering threats.
Observations of Multiple Threat Clusters
The Mandiant threat intelligence team from FireEye reported observing numerous instances of Microsoft Exchange Server abuse in client environments since January. Researchers believe that the initial intrusion campaigns began around January 6, 2021. Microsoft has attributed the exploits with high confidence to HAFNIUM, a sophisticated group believed to be backed by the Chinese government.
Mandiant identified three cohorts of intrusion activity, labeled UNC2639, UNC2640, and UNC2643, and anticipates that these numbers will rise as more attackers are detected. Notably, a Chinese government spokesperson has denied involvement in the attacks.
Distinct activity patterns point to at least five clusters exploiting the vulnerabilities, as noted by Katie Nickels from Red Canary. Some compromised Exchange servers were found running DLTminer, a type of malware previously reported by security firm Carbon Black. The implication is that other groups may have either obtained or reverse-engineered the exploit code following Microsoft’s patch releases.
Microsoft’s Mitigation Strategies
In addition to releases, Microsoft has published mitigation guidance for Exchange users seeking time to implement patches, along with updates for Microsoft’s Safety Scanner (MSERT) designed to detect web shells. These resources are designed to guide firms in safeguarding their systems against ongoing threats.
Experts emphasize that these vulnerabilities pose a significant risk, allowing attackers to execute commands remotely on vulnerable servers without requiring credentials. Consequently, organizations running on-premises Exchange servers should take decisive action to mitigate potential threats.
