In early March 2021, Microsoft issued an urgent alert about zero-day security vulnerabilities in several versions of Exchange Server. These platforms have been subject to a targeted attack, making it crucial that affected systems receive updates as soon as possible.
Let's look at what this exploit involves so you're in the know.
The Exchange Server Vulnerability
On March 2, 2021, Microsoft announced that a Chinese state-sponsored group it calls Hafnium was engaging in a sophisticated attack against four zero-day vulnerabilities in Exchange Server. These exploits were not known to anyone before these attacks started, but could become more widespread in the future.
The company explained that the attacks used three main steps:
- The attackers gain access to an Exchange Server by stealing passwords or using one of several vulnerabilities to disguise themselves as a legitimate user.
- They then set up a web shell to control the server from their remote location.
- Once in control of the server, they're able to steal data from the network.
Exchange Server's cloud version is not affected by this; on-premises versions of Exchange Server 2013, 2016, and 2019 are all open to these vulnerabilities. The exploits are quite technical, but include steps to forge access and then control the server to do whatever they want. Another security firm that works with Microsoft, called Volexity, said these attacks began in early January.
According to Microsoft, the attackers are primarily focusing on stealing information from industries like law firms, defense contractors, and disease researchers. This is a complex hack, meaning that the attackers are not amateurs.
On March 3, 2021, the US Department of Homeland Security issued an emergency alert about this vulnerability.
It noted that these vulnerabilities pose too much risk to government infrastructure, so it required all federal agencies to run an audit on all Exchange Server systems to check for signs of compromise. And if admins aren't able to install Microsoft's patches that fix this vulnerability, they must disconnect the servers running Exchange Server.
Obviously, both Microsoft and the government are taking this issue very seriously. Zero-day exploits are a particular danger to software vendors, since they have to work quickly to patch the issues and lock out the attackers. And clearly, these hackers are serious about the attack, since they "used up" four zero-day exploits all in one attack. If it wasn't as heavy of an attack, they might have waited to use the zero-day exploits one-by-one so they weren't all patched at once.
Patches and Future Concerns
Microsoft says that since Exchange Server is primarily used by business, individual consumers are not at risk. It also has no evidence that other Microsoft products are affected, and assures that these issues are completely separate from the major SolarWinds attack.
Even if you aren't in an industry that Microsoft identified as a prime target in these attacks, this exploit could result in your systems becoming compromised. We patched all client systems as soon as we learned about this vulnerability, so our customers are protected.
Attacks like these are frightening, but quick patches can mitigate your vulnerability. They also illustrate the risk of zero-day attacks and how sophisticated hackers' plans can be. To learn more, have a look at common security terms you should know.