Microsoft Exchange Server Attacked By Chinese Hackers

Volexity has seen active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks, and the attacks appear to have begun as early as Jan. 6.

Chinese state-sponsored hackers have attacked on-premises versions of Microsoft Exchange Server using zero-day exploits in an effort to obtain long-term access to victim environments.

The Redmond, Wash.-based software giant said the hackers took advantage of previously unknown vulnerabilities to carry out limited and targeted attacks against on-premises Exchange servers. This enabled access to victim email accounts, which in turn allowed for the installation of additional malware that pave the way for long-term access.

The Microsoft Threat Intelligence Center is attributing the campaign to Hafnium, a state-sponsored hacking group based in China that conducts its operations primarily from leased virtual private servers in the United States. Hafnium targets U.S.-based infectious disease researchers, policy think tanks, higher education institutions, law firms, defense contractors and NGOs in hopes of exfiltrating information.

[Related: Microsoft’s Brad Smith Drags AWS, Google Over SolarWinds Response]

“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem,” the Microsoft Threat Intelligence Center wrote in a blog Tuesday.

The Chinese hackers would first gain access to an Exchange Server either with stolen passwords or by using the zero-day vulnerabilities to disguise themselves as someone who should have access, Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote in a blog post Tuesday. From there, Burt said the hackers would create a web shell to control the compromised server remotely.

Finally, Burt said the hackers would capitalize on their remote access - run from U.S.-based private servers – to steal data from an organization’s network. Hafnium’s exploits don’t affect Exchange Online are in no way connected to the massive SolarWinds campaign, which was carried out by the Russian foreign intelligence service. Microsoft has briefed appropriate U.S. government agencies on this activity.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Burt wrote in his blog post. “Promptly applying today’s patches in the best protection against this attack.”

Volexity first detected anomalous activity from two of its customers’ Microsoft Exchange servers on Jan. 6, with large amounts of data being sent to IP addresses not believed to be tied to legitimate users. The incident response vendor said it’s seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks, and worked with Microsoft to investigate.

The hackers took advantage of one vulnerability to steal the full contents of several user mailboxes, Volexity said, which only required knowing the server running Exchange as well as the account from which they want to extract email. The flaw is remotely exploitable and requires neither authentication of any kind nor any special knowledge or access to a target environment, according to Volexity.

“Volexity has observed the attacker writing webshells to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database, and move laterally to other systems and environments,” Volexity wrote in a blog post published Tuesday.

The first Microsoft vulnerability allowed Hafnium to send arbitrary HTTP requests and authenticate as the Exchange server, according to the Microsoft Threat Intelligence Center. The second vulnerability required administrator permission or another flaw to exploit, and give Hafnium the ability to run code as SYSTEM on the Exchange server, according to Microsoft.

If Hafnium was able to authenticate with the Exchange server, the hackers could either compromise a legitimate admin’s credentials or take advantage of the third or fourth Microsoft vulnerabilities to write a file to any path on the server. The hackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

“After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server,” the Microsoft Threat Intelligence Center wrote in its blog post. “Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.”