On March 2, 2021 Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.
Over the next few days, over 30,000 organizations in the US were attacked as hackers used several Exchange vulnerabilities to gain access to email accounts and install web shell malware, giving the cybercriminals ongoing administrative access to the victims’ servers.
On the same day, Microsoft announced they suspected the attacks were carried out by a previously unidentified Chinese hacking group they dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), Hafnium is suspected to be state-sponsored and operating out of China, primarily targeting organizations in the United States across multiple industry segments and operating primarily via leased virtual private servers (VPSs) in the U.S.
Microsoft has released updates addressing Exchange Server versions 2010, 2013, 2016, and 2019. The software vulnerabilities involved include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—together, these are commonly referred to as ProxyLogon.
According to Gartner analyst Peter Firstbrook, what the hackers are really looking for is a rich attack environment, and targeting on-premises software in organizations that don’t pay much attention to legacy software updates is fertile ground.
“A lot of customers have already moved to online Exchange, at least the more savvy customers have. That leaves behind the late adopters and less mature organizations that just keep carrying on with the old platforms. This is the richest attack environment,” Firstbrook said. “These people are busy running their businesses and are not paying attention. They have IT generalists running Exchange instead of specialized admins. That is why Microsoft is trying to get everyone to pay attention to this hack, because this community tends not to pay attention to these things on a day-to-day basis.”
The hackers’ endgame is not the on-premises servers they put web shells in, but setting themselves up for future attacks of higher value targets those servers may be connected to, said Firstbrook.
“Even if these…