In case you missed the news last week, a hacking group in China dubbed “Hafnium” has been exploiting vulnerabilities in Microsoft Exchange Server to steal email files. These attacks are reportedly aimed at companies that still host their email (Exchange) services on premise.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” Microsoft wrote in a blog post.
It appears these attacks have been going on since early January 2021 but have just recently surfaced in the past week. One of the vulnerabilities (CVE-2021-26855) is particularly serious as it allows the hacker to access the server remotely without any authentication, all they need to know is the name of the exchange server and the account from which they want to extract the email. A second vulnerability (CVE-2021-26857) can allow remote code execution, which makes it possible to deploy malware to the Exchange server, and depending on the architecture of your network that can affect other servers too.
The DHS (Department of Homeland Security) has issued emergency directives as it believes Hafnium is state sponsored by China and directly targeting US organizations. These include infectious disease researchers, law firms, colleges, defense contractors, and other public and private sector businesses.
If you are running on-premise Exchange servers in your organization it is imperative that you follow these emergency directives and install the latest patches released by Microsoft. It is important to note that these vulnerabilities have not affected Exchange online for companies using Microsoft 365’s email service.
This should server as a reminder to review your current email strategy and consider moving to a hosted platform where you can lower your company’s exposure to internet facing servers such as Exchange. If you need any help in assessing your network’s exposure and overall cybersecurity posture, be sure to check out our security services and contact our team of experts.