Microsoft has announced multiple zero-day Microsoft Exchange vulnerabilities are being exploited by Chinese hacking group Hafnium. The hackers are using web shells to remotely control compromised on-premises Exchange email servers, allowing them to steal data and take actions to establish persistent access to victim environments. They have reportedly been able to slip past most preventative security products.

The exploits don’t affect Exchange Online and are not connected to the massive SolarWinds campaign.

Who Is Being Targeted?

Microsoft has asserted that Hafnium—which evidently conducts its operations primarily from leased virtual private servers in the United States—tends to target high-profile organizations such as infectious disease researchers, policy think tanks, higher education institutions, law firms, defense contractors and NGOs in hopes of exfiltrating information. Already-identified victims of this campaign include city and county governments, healthcare providers, banks/financial institutions, and residential electricity providers.

Lower-profile victims include small hotels, an ice cream company, a kitchen appliance manufacturer, and multiple senior citizen communities.

What You Can Do

• Microsoft released security updates that will protect customers running Exchange Server. While Hafnium is generally focused on “big-game hunting,” everyone should patch immediately because, as Microsoft put it, “we anticipate that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.” Exploit code is likely to be forthcoming.
• Read the Microsoft blog for technical details of the vulnerabilities/CVEs
• Contact us. We can help evaluate your environment, and identify and remediate weaknesses that could result in compromise.