In the latest in a series of security-related headaches for Microsoft, the company warned customers on Tuesday that state-sponsored hackers from China are exploiting flaws in one of its widely used email products, Swap, to target US companies for data theft.
In several recently published blog posts, the company listed four newly discovered zero-day vulnerabilities related to the attacks, as well as dots and a list of compromise indicators. Exchange users are asked to update to prevent hacking.
Microsoft researchers named the main hacker group behind the attacks ‘HAFNIUM’, describing it as a ‘highly skilled and sophisticated actor’ focused on espionage through data theft. In previous campaigns, HAFNIUM was known to target a wide range of entities across the US, including ‘infectious disease researchers, law firms, higher education institutions, defense contractors, policy thinkers and non-governmental organizations’, they said.
In the case of Exchange, these attacks meant that data was being flown out of email accounts. Swap work with email clients like Microsoft Office, which synchronize device and computer updates, and are widely used by companies, universities, and other large organizations.
G / O Media can get a commission
Attacks on the product unfolded as follows: hackers would use zero days to access an Exchange server (they also sometimes used credentials). They will then usually implement a web shell (a malicious script) and hack the server remotely. Hackers can then steal data from an associated network, including entire sections of emails. According to Microsoft, the attacks were done from private US servers.
Microsoft’s Vice President of Customer Security, Tom Burt, said Tuesday that customers need to work quickly to update associated security vulnerabilities:
Although we have worked quickly to deploy an update for the Hafnium operations, we know that many national state actors and criminal groups will move quickly to take advantage of any systems that have not been uploaded. The best protection against this attack is to apply the patches of today quickly.
The situation was originally brought to Microsoft’s attention by researchers at two different security firms, Volexity and Dubex. According to KrebsOnSecurity, Volexity initially found evidence of the January 6 intrusion campaigns a blog post On Tuesday, researchers from Volexity helped break out the malicious activity in one specific case:
Through its system memory analysis, Volexity found that the attacker was using a vulnerability in SSRF (zero-day server-side request forgery) in Microsoft Exchange (CVE-2021-26855). The attacker used the vulnerability to steal the entire contents of several user mailboxes. This vulnerability is remotely exploitable and requires no verification of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know which server is running Exchange and which account they want to retrieve email from.
These recent hacking campaigns – which according to Microsoft are ‘limited and targeted’ – are not related to the ongoing attacks by ‘SolarWinds’ which the technology giant is also currently involved. The company did not say how many organizations were targeted or successfully compromised by the campaign, although other threats other than HAFNIUM may also be involved. Microsoft says it has informed federal authorities about the incidents.