URGENT: Four Actively Exploited 0-Day Vulnerabilities Found in Microsoft Exchange Server

March 3, 2021

Microsoft has issued emergency patches for four previously undisclosed security vulnerabilities in Exchange Server that are currently being exploited by a new state-sponsored threat actor from China, aimed at data theft. The Microsoft Threat Intelligence Center (MSTIC) describes these attacks as “limited and targeted,” revealing that the adversary exploited these vulnerabilities to gain access to on-premises Exchange servers, allowing them to infiltrate email accounts and install malware for prolonged access to the victim’s environment. Microsoft confidently attributes this campaign to a group known as HAFNIUM, a sophisticated state-sponsored hacker collective based in China, while also suggesting the potential involvement of other groups. In discussing HAFNIUM’s tactics, techniques, and procedures (TTPs), Microsoft highlights the group’s high level of skill and sophistication.

URGENT: Four Actively Exploited 0-Day Vulnerabilities Discovered in Microsoft Exchange

On March 3, 2021, Microsoft announced emergency patches to address four critical security vulnerabilities in its Exchange Server. These vulnerabilities, which were previously undisclosed, are reportedly being exploited by a state-sponsored threat actor from China, leading to significant concerns regarding data theft. Microsoft characterized the ongoing attacks as “limited and targeted,” whereby the adversaries leverage these exploits to gain unauthorized access to on-premises Exchange servers, subsequently targeting email accounts. This access further enables the installation of additional malware, facilitating prolonged presence within affected environments.

The campaign has been primarily attributed to a threat group identified as HAFNIUM, which is believed to operate under the aegis of state sponsorship from China. Microsoft expresses high confidence in this attribution but acknowledges the possibility that other threat actors may also be engaged in similar exploitative activities.

In a detailed analysis shared by the Microsoft Threat Intelligence Center (MSTIC), the HAFNIUM group is depicted as a highly skilled and sophisticated hacker collective that employs a variety of tactics, techniques, and procedures (TTPs). These TTPs are crucial for understanding the mechanics of the attack and offer insight into the group’s operational methods.

With respect to the MITRE ATT&CK framework, it is likely that the attackers utilized techniques associated with initial access through exploitation of vulnerabilities, followed by establishing persistence on targeted servers. The exploitation of these recently discovered vulnerabilities could also lead to privilege escalation, allowing attackers to access higher levels of control within affected systems.

Organizations using Microsoft Exchange Server must prioritize the application of these patches to mitigate risks associated with unauthorized access and potential data breaches. Given the sophisticated nature of the adversaries involved, proactive security measures should also include continuous monitoring for unusual activity and regular assessments of their cybersecurity postures.

As the landscape of cyber threats continues to evolve, it is imperative for business owners to stay informed and take action regarding the latest vulnerabilities and exploits. The nature of these attacks underscores the ongoing necessity for vigilance in maintaining robust cybersecurity defenses to protect sensitive data from state-sponsored and other cybercriminal activities.

In summary, the presence of these 0-day vulnerabilities in Microsoft Exchange Server represents a pressing threat to organizations worldwide. The exploitation of these flaws by a state-sponsored group like HAFNIUM highlights the critical need for swift remediation and enhanced security protocols to safeguard against such aggressive tactics in the evolving cyber threat environment.

Source link

Related Posts

Urgent: Critical RCE Vulnerability Discovered in F5 Big-IP Platform—Immediate Patching Required!

On March 11, 2021, F5 Networks issued an advisory highlighting four severe vulnerabilities across various products that could lead to denial of service (DoS) attacks and unauthenticated remote code execution on affected networks. The advisory addresses a total of seven related flaws (CVE-2021-22986 through CVE-2021-22992), including two identified by Felix Wilhelm of Google Project Zero in December 2020. The four critical vulnerabilities impact BIG-IP versions 11.6, 12.x, and newer, with a notable pre-auth remote code execution issue (CVE-2021-22986) also affecting BIG-IQ versions 6.x and 7.x. F5 has stated that it is not currently aware of any public exploitation of these vulnerabilities. If successfully exploited, these flaws could lead to complete system compromise, enabling remote code execution and potential buffer overflow, resulting in DoS conditions. Customers are strongly urged to apply updates immediately.

Released ProxyLogon Exploit PoC: A Potential Catalyst for Increased Cyber Attacks

March 11, 2021

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory on Wednesday, highlighting ongoing exploitation of vulnerabilities in Microsoft Exchange on-premises products by both nation-state actors and cybercriminals. “CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal sensitive information, encrypt data for ransom, or conduct destructive attacks,” the agencies stated. They also noted that compromised networks might be sold on the dark web. Recent attacks have mainly targeted local governments, academic institutions, NGOs, and businesses across various sectors such as agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceuticals—consistent with previous activities linked to Chinese cyber threats. Tens of thousands of entities, including the Eur…

Vulnerabilities in Two Major WordPress Plugins Impact Over 7 Million Sites

On March 18, 2021, researchers revealed security flaws in several WordPress plugins, which, if exploited, could enable attackers to execute arbitrary code and potentially take control of affected websites. The vulnerabilities were found in Elementor, a widely-used website builder plugin installed on more than seven million sites, and WP Super Cache, a popular tool for serving cached pages on WordPress. According to Wordfence, which identified the weaknesses in Elementor, the issue involves a series of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4). This occurs when malicious scripts are injected directly into a vulnerable web application. Specifically, the lack of server-side validation for HTML tags allows an attacker to inject executable JavaScript into posts or pages through crafted requests. “Since posts created by contributors are usually reviewed by editors or administrators before publication, any JavaScript added to one of the…

Urgent: High-Severity RCE Vulnerability Discovered in Apache OFBiz ERP Software – Immediate Patch Required

On March 22, 2021, the Apache Software Foundation disclosed a critical vulnerability in Apache OFBiz that poses a significant risk. Tracked as CVE-2021-26295, this flaw allows unauthenticated attackers to potentially take remote control of the open-source enterprise resource planning (ERP) system. It impacts all versions prior to 17.12.06 and involves an “unsafe deserialization” vulnerability that enables remote code execution on susceptible servers.

Apache OFBiz is a Java-based web framework designed for automating various enterprise processes, including accounting, customer relationship management, manufacturing, order management, supply chain fulfillment, and warehouse management. By exploiting this vulnerability, an attacker can manipulate serialized data to introduce arbitrary code. Once deserialized, this code can lead to unauthorized remote execution. It is crucial for users to implement the necessary patches immediately.