Multiple threat groups have been observed exploiting the four zero-day vulnerabilities in Microsoft Exchange Server that were patched earlier this week.
Microsoft announced the four vulnerabilities have been exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium since at least early January, but following the announcement about the vulnerabilities, several other nation-state hacking groups have been identified exploiting the flaws. Volexity reports that the earliest known attack occurred on January 6, 2021.
The vulnerabilities – tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – are being chained together to gain access to vulnerable on-premises Microsoft Exchange Servers, deploy web shells, and exfiltrate entire mailboxes.
Initially, Hafnium’s cyberespionage campaign targeted infectious disease researchers, defense contractors, law firms, NGOs, universities, and policy think tanks; however, several security researchers have reported seeing large scale attacks on a much broader range of organizations of all types and sizes including healthcare providers, banks, utility companies, hotels, and other mid-market businesses, as well as local and county governments.
Exploitation of the CVE-2021-26855 vulnerability allows attackers to authenticate to vulnerable Microsoft Exchange Servers and achieve remote code execution. Huntress researchers say they have discovered more than 100 web shells that have been deployed across 1,500 vulnerable Microsoft Exchange Servers, which will continue to provide access to the Exchange servers after the patches have been applied.
ESET says it has identified multiple APT groups exploiting the vulnerabilities including APT27, LuckyMouse, Tick, Calypso, and other as of yet unidentified clusters. Most of the attacks have been concentrated on U.S companies and organizations, although attacks have also been detected throughout Europe, the Middle East, and Asia.
While Hafnium was conducting attacks for cyber espionage purposes, the intentions of other threat groups are unclear. The web shells that are being deployed could be used to steal sensitive data but could also be used for a range of other malicious purposes.
Microsoft warned organizations that immediate patching was required to prevent exploitation and attacks are likely to continue to increase over the coming days. In addition to applying the patches to fix the flaws and prevent exploitation, it is essential for incident response teams to scan their event logs and Exchange server logs to identify whether the vulnerabilities have already been exploited. Microsoft provided indicators of compromise (IoCs) for incident response teams in a recent blog post.