Worldwide Hack: Microsoft Exchange Server Zero-day Exploits

Hundreds of thousands of worldwide organizations are newly hacked via holes in Microsoft’s email software per a Krebs on Security article posted March 5, 2021.

“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded 100,000s of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”

“This is the real deal,” tweeted Christopher Krebs, the former Cybersecurity and Infrastructure Security Agency (CISA) director. “If your organization runs an [Outlook Web Access] OWA server exposed to the internet, assume compromise between 02/26-03/03.”

Current Situation – What We Know

Per a Microsoft Blog Post dated 3/2/21 and updated 3/4/21 and 3/5/21:

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

“The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.”

*** This is a Security Bloggers Network syndicated blog from The Mission Secure Blog authored by Paul Robertson. Read the original post at: