Microsoft has detected multiple 0-day exploits being used to attack
on-premises and hybrid environment versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled
access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Please note: This attack does not impact anyone running Exchange Online exclusively!
Details:
Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defence against any future attacks against unpatched systems.
We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of
patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
Tim Burt - Microsoft
Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.
Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.
If you have any concerns about this attack and / or need assistance, please contact us as soon as possible.
Part of Simplify Technology Group Ltd