In a recent cybersecurity development, Microsoft addressed critical zero-day vulnerabilities within its on-premises Exchange Server software through a series of out-of-band patches. Following these updates, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive alerting organizations to the “active exploitation” of these vulnerabilities.
This warning follows Microsoft’s earlier disclosure regarding a campaign by China-based threat actors who were leveraging unknown vulnerabilities in Exchange Server to exfiltrate sensitive information from targeted entities. This marks a significant escalation, representing the second instance within a four-month timeframe wherein U.S. cybersecurity measures have had to rapidly adapt to foreign-led hacking efforts.
According to Microsoft, the responsible group is primarily identified as HAFNIUM. However, cybersecurity firm ESET has indicated that its research uncovered evidence of one particular vulnerability, CVE-2021-26855, being actively exploited by various cyber espionage groups such as LuckyMouse, Tick, and Calypso. These groups have reportedly targeted servers across the United States, Europe, Asia, and the Middle East.
Further investigations by Huntress Labs have revealed widespread exploitation of vulnerable Exchange servers, with more than 350 web shells identified across around 2,000 compromised systems. As highlighted by Huntress senior security researcher John Hammond, the presence of multiple web shells on some servers suggests either automated deployment or the activities of multiple attackers working independently. Alarmingly, many of these systems are equipped with antivirus or EDR solutions, which have failed to prevent these intrusions.
This situation suggests that the scale of the attacks is much broader than the “limited and targeted” threats reported by Microsoft earlier in the week. While it remains unclear if any U.S. government entities have suffered breaches, the recent CISA directive illustrates the critical nature of the threat landscape.
CISA is urging all organizations to install the patches without delay, citing the high probability of widespread exploitation of these vulnerabilities after they became public knowledge. They emphasize that failure to act could lead to degradation of federal government services that serve the American public.
