The IT company founded by Bill Gates discovered that a group of hackers , sponsored by the Chinese state and known as Hafnium , used four different vulnerabilities by activating them in concatenation to gain access to some Microsoft Exchange servers . The main target of the group is some US organizations that have allegedly been stolen data. Attacks recognized for now are limited, but if companies don't take immediate action, they could increase.
" Historically, Hafnium primarily targets entities in the United States for the purpose of retrieving information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, political think tanks and NGOs. " , Microsoft wrote on its blog . " Although Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States . "
Microsoft Exchange: zero-day vulnerabilities
The Redmond-based company promptly released Microsoft Exchange updates aimed at addressing these zero-day vulnerabilities. Zero-day (or 0-day) vulnerabilities are those cybersecurity vulnerabilities that are not known to the developer or to the company that produced a particular computer system, in this case Microsoft, but which once resolved through updates loses importance because it can no longer be used against the systems themselves.
The attack, as previously mentioned, exploits the four identified vulnerabilities in a concatenated manner and allows you to steal e-mail and install additional malware that allow access to further data. The hacker group would in fact be interested in stealing sensitive data from various US companies.
How the attack works
As BleepingComputer reports, for the attack to work, remote attackers would need to access an on-premise Microsoft Exchange server on port 443. If access is available, they will use the following vulnerabilities to gain remote access:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as an Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging Service. Insecure deserialization is the point where user-controllable untrusted data is deserialized by a program. Exploitation of this vulnerability gave Hafnium the ability to execute code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, it could use this vulnerability to write a file anywhere on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the credentials of a legitimate administrator.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, it could use this vulnerability to write a file anywhere on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the credentials of a legitimate administrator.
“While we've worked quickly to roll out an update against Hafnium's exploits, we know criminal groups will move quickly to take advantage of any unpatched systems, ” said Tom Burt, Corporate Vice President of Customer Security & Trust. "Timely application of patches released today is the best protection against this attack."
Due to the potential severity of the attacks, the software house recommends that administrators install these upgrades immediately to protect Exchange servers.