Microsoft Exchange Server email servers are being targeted with multiple “zero-day exploits” to steal email and install backdoors allowing future access by Chinese Communist Party (CCP) sponsored hacking team HAFNIUM, according to a Microsoft blog post on March 2.
A “zero-day exploit” is defined by Wikipedia as malicious software targeting a vulnerability “that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.”
The Microsoft Security Response Center (MSRC) quickly released patches for Exchange Server 2013, 2016, and 2019 the same day. In describing the basics of how the attack works, MSRC said, “These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”
“Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Chinese communist hackers steal emails from Microsoft Exchange U.S. targets
Microsoft describes the CCP’s HAFNIUM as targeting “entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” adding the group often “operates primarily from leased virtual private servers (VPS) in the United States.”
“HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users,” added the Redmond software giant.
A Microsoft Blog post described the general specifics of how the attack functioned, “The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
The company says they have briefed U.S. law enforcement and security agencies on their findings.
Volexity’s third party analysis finds zero-day exploits used since at least January
Microsoft credited industry peers at Volexity and Dubex for collaboration in the investigation. Volexity released a blog post about the exploits, dubbing it “Operation Exchange Marauder.”
Volexity says they first detected suspicious activity on some clients’ networks in January and through their investigation discovered the activity was a result of zero-day exploits “being used in the wild” against Microsoft Exchange Server.
Volexity describes the strength of the attack vector, which was actually being used to “steal the full contents of several user mailboxes,” in considerably graver terms and more detail than Microsoft does in its public communications, “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”
According to the group, Microsoft Exchange Server deployments in corporate environments are either in a single server configuration or are split among multiple servers for load balancing purposes. Volexity says the specifics of the exploit allowed HAFNIUM to obtain contents of email accounts simply with a target’s email address if the configuration was multiple servers, but required the user’s Domain Security Identifier (DIS) if the configuration was a single server. While the DIS is a static value that is not a secret, Volexity notes “it is not something that is trivially obtained by someone without access to systems within a specific organization.”
While the attackers must also acquire the target’s Fully Qualified Domain Name (FQDN) to make the attack work, Volexity’s analysis revealed CCP hackers were able to ascertain the FQDN “with only initial knowledge of the external IP address or domain name of a publicly accessible Exchange server.”
HAFNIUM was able to remain undetected by only stealing emails, but recently “pivoted to launching exploits to gain a foothold.” Volexity found the Chinese communist attackers had begun using the same zero-day vulnerabilities against Exchange Servers to begin remote code exploitation attacks against their targets in an attempt to gain more than just emails.
This instance is not the only recent case of a Chinese hacking team being caught red handed. On Feb. 22, Check Point Research published an extensive breakdown of a set of exploits known as “JIAN,” captured from the CCP’s APT-31 [Zirconium] team, who used the exploits clumsily and appeared to not understand completely how they worked.
The zero-day exploits appear to have been copied directly from a set of tools used by the National Security Agency’s elite Equation Team hacking group, calling into serious question where, when, and how the CCP obtained the nation-grade exploits.
“There is a theory which states that if anyone will ever manage to steal and use nation-grade cyber tools, any network would become untrusted, and the world would become a very dangerous place to live in,” opened the article.
“There is another theory which states that this has already happened.”