It may be April Fool’s Day, but zero-day exploits detected in Microsoft Exchange Servers are no joke. It’s now been four weeks since Microsoft announced threat actors were exploiting four zero-day vulnerabilities, collectively known as the “ProxyLogon” vulnerabilities. At the time, we wrote a blog mapping MITRE ATT&CK to the Microsoft Exchange exploits, but a lot has happened since then. In this blog, we take on what happened next.
For those who avoided all the cyber headlines, here’s a recap of what happened. In early March, Microsoft announced that four zero-day vulnerabilities in their Exchange Servers were being actively exploited by a threat group linked to the People’s Republic of China (PRC) named HAFNIUM. Microsoft quickly issued patches for these vulnerabilities but warned its customers that they may still be vulnerable to attacks if previously targeted. Additionally, Microsoft released a script that would allow its customers to check for indicators of compromise attributed to HAFNIUM and warned that attacks would also likely emanate from different threat groups.
HAFNIUM is not alone in its efforts
Over a week later, researchers observed that “at least ten” advanced persistent threat (APT) groups had exploited the ProxyLogon vulnerabilities. Some of these threat actors had access to the exploits before Microsoft released their announcement and the patch. According to a blog by Volexity, the earliest detection of threat actors exploiting the ProxyLogon vulnerabilities was on 03 Jan 2021. Microsoft was informed of these vulnerabilities by a “well-known vulnerability researcher” on 05 Jan 2021. It is unclear what acti ..
Support the originator by clicking the read the rest link below.
