Microsoft: 4 Exchange Server Zero-Days Under Attack by Chinese Hacking Group


Microsoft late Tuesday raised the alarm after discovering Chinese cyber-espionage operators chaining multiple zero-day exploits to siphon e-mail data from corporate Microsoft Exchange servers.


Redmond's warning includes the release of emergency out-of-band patches for four distinct zero-day vulnerabilities that formed part of the threat actor's arsenal.


Microsoft pinned the blame on a sophisticated Chinese APT operator called HAFNIUM that operates from leased VPS (virtual private servers) in the United States.


HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.


The company said its analysts assess with high confidence that HAFNIUM is state-sponsored and operating out of China, based on observed victimology, tactics and procedures.


In all, Microsoft said the attacker chained four zero-days into a malware cocktail targeting its Exchange Server (Outlook Web App) product. The vulnerabilities exposed Microsoft's customers to remote code excecution attacks, without requiring authentication.



"In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments," Microsoft said.


"We strongly urge customers to update on-premises systems immediately," the company urged.


Here are the raw details on the vulnerabilities being exploited in the wild.


CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate a ..