More Details Emerge on the Microsoft Exchange Server Attacks

More Details Emerge on the Microsoft Exchange Server Attacks
The attacks seem more widespread than initially reported, researchers say, and a look at why the Microsoft Exchange Server zero-days patched this week are so dangerous.

Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the "limited and targeted" incidents reported by Microsoft this week when it issued patches for the zero-day flaws and urged enterprises to patch immediately.


Organizations first learned of the Exchange server zero-days on Tuesday when Microsoft released the fixes. It attributes the activity to a group called Hafnium "with high confidence." Hafnium is believed to operate out of China and primarily targets organizations based in the United States, Microsoft reports.


As more security researchers track the activity, new details emerge about these active exploits, how they were found, and factors that drove the release of yesterday's out-of-band patches. 


These attacks appear to have started as early as Jan. 6, 2021, report Volexity researchers who detected anomalous activity from two customers' Microsoft Exchange servers that month. 


Volexity noticed a large amount of data sent to IP addresses it believed was not tied to actual users. Closer inspection revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access. They suspected the servers might be backdoored and began an investigation, which led to uncovering the zero-day exploit.


"We did a lot of analysis on the system initially to make sure it wasn't a backdoor," says Volexity founder and president Steven Adair. By early February, the team had determined what was going on and recreated the exploit themselves. Over the cou ..