Microsoft has announced multiple zero-day Microsoft Exchange vulnerabilities are being exploited by Chinese hacking group Hafnium. The hackers are using web shells to remotely control compromised on-premises Exchange email servers, allowing them to steal data and take actions to establish persistent access to victim environments. They have reportedly been able to slip past most preventative security products.
The exploits don’t affect Exchange Online and are not connected to the massive SolarWinds campaign.
Who Is Being Targeted?
Microsoft has asserted that Hafnium—which evidently conducts its operations primarily from leased virtual private servers in the United States—tends to target high-profile organizations such as infectious disease researchers, policy think tanks, higher education institutions, law firms, defense contractors and NGOs in hopes of exfiltrating information. Already-identified victims of this campaign include city and county governments, healthcare providers, banks/financial institutions, and residential electricity providers.
Lower-profile victims include small hotels, an ice cream company, a kitchen appliance manufacturer, and multiple senior citizen communities.
What You Can Do