Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the "limited and targeted" incidents reported by Microsoft this week when it issued patches for the zero-day flaws and urged enterprises to patch immediately.
Organizations first learned of the Exchange server zero-days on Tuesday when Microsoft released the fixes. It attributes the activity to a group called Hafnium "with high confidence." Hafnium is believed to operate out of China and primarily targets organizations based in the United States, Microsoft reports.
As more security researchers track the activity, new details emerge about these active exploits, how they were found, and factors that drove the release of yesterday's out-of-band patches.
These attacks appear to have started as early as Jan. 6, 2021, report Volexity researchers who detected anomalous activity from two customers' Microsoft Exchange servers that month.
"We did a lot of analysis on the system initially to make sure it wasn't a backdoor," says Volexity founder and president Steven Adair. By early February, the team had determined what was going on and recreated the exploit themselves. Over the cou ..