Microsoft fixes four zero-day flaws in Exchange Server exploited by China's ‘Hafnium’ spies to steal victims' data

Patch ASAP: Holes used to raid top-tier targets and stash info in Kim Dotcom's old cloud file locker

Microsoft says Beijing-backed hackers are exploiting four zero-day vulnerabilities in Exchange Server to steal data from US-based defense contractors, law firms, and infectious disease researchers.

The Windows giant today issued patches for Exchange to close up the bugs, and recommended their immediate application by all. On-prem and hosted Exchange, from version 2013 to 2019, are vulnerable and need fixing up.

Microsoft’s corporate veep for customer security and trust Tom Burt named the miscreants “Hafnium,” said they operate in China though use US-based servers, and classified the cyber-spy team as “a highly skilled and sophisticated actor” that's nation-state sponsored.

Burt said the snoops conduct a three-step attack:

  1. Gain access to an Exchange Server either using stolen passwords or by using zero-day vulnerabilities, and disguise themselves as a legitimate user.
  2. Control the compromised Exchange Server remotely using a web shell.
  3. Use the resulting remote access, from servers located in America, to exfiltrate internal data.

The Chinese spies have in their arsenal four zero-day bugs that can be chained to ultimately break into vulnerable Exchange installations; they are, according to Microsoft:

CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

We note that Microsoft recommends "prioritizing installing updates on Exchange Servers that are externally facing."

China and India

Malware attack that crippled Mumbai's power system came from China, claims infosec intel outfit Recorded Future


Security consultancy Volexity, which Microsoft credits with having helped it uncover two of the bugs, has posted its account of the incidents that led it to alert the tech goliath.

Volexity said it noticed unusual activity on clients’ Exchange Servers in January 2021 and upon investigation spotted “a large amount of data being sent to IP addresses it believed were not tied to legitimate users.

“A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). Volexity observed the attacker focused on getting a list of e-mails from a targeted mailbox and downloading them."

Redmond also thanked Orange Tsai from the DEVCORE research team, Dubex, and its own Microsoft Threat Intelligence Center for discovering and reporting the holes. Microsoft named cloud file locker, a service founded by the Kim Dotcom, as one of Hafnium’s preferred destinations for exfiltrated data.

While the zero-day attacks don’t work against cloudy Exchange, users of Microsoft’s cloud messaging services need to be careful because the IT giant says it has seen Hafnium “interacting with victim Office 365 tenants.”

“While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” Microsoft stated.

Patch ASAP but log in as an Admin. Tweak port 443 and cross your fingers if you can’t patch

Microsoft has linked to and provided installation instructions for the patches here. Unsurprisingly, Microsoft recommends rapid patching, but if that’s going to be a problem in your environment, the super-corp's security experts offer some relief.

An advisory states: “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”

However, the memo also warns: “This mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”


The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public


There’s a little more relief to be had from the fact that Microsoft’s patches replace the February 9 security update for Exchange Server 2019, so if you’re a little behind, that wasn’t the worst update to have delayed.

But if you patch, do so carefully because the software titan warns that if you’re not logged in as an administrator, some files will not be correctly installed, and you won’t be notified of the problem. You’ll know you’ve done it wrong if Outlook on the web and the Exchange Control Panel stop working. But they don’t always stop.

So good luck with that one.

This page also offers details on how to detect if your environment has been compromised by Hafnium.

Microsoft says it has notified the US government of the attacks. Which means the Biden administration now has the attributed-to-Russia SolarWinds backdoor fiasco as well as the attributed-to-China Hafnium horror on its plate. SolarWinds is thought to have been compromised for up to three years. But Microsoft hasn’t said how long Hafnium has been active. ®

Similar topics

Broader topics

Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022