Update: The headline of this story was changed to reflect that patching alone is not enough to prevent threat actors already inside company networks. Updated information on the Microsoft Exchange Server hack can be found here.
Microsoft has confirmed that a hacking group with ties to the Chinese state, which it has dubbed “Hafnium”, has successfully compromised a “limited” number of customers using the on-premises versions of its Exchange Server. In the same week, the Redmond-headquartered tech vendor announced that it would place new data centres on Chinese territory.
The zero-day exploits gave the Hafnium hackers a way into on-prem Exchange servers – the tech goliath’s mail server and calendar product – from which they could then install malware for future attacks.
In a blog post, Microsoft said it has “high confidence” that Hafnium was behind the attacks. The group has previously been linked to the Chinese state based on its tactics and targets. In the past Hafnium has targeted law firms, infectious disease researchers and defence contractors, among others. It uses virtual private servers based in the US to launch attacks against American companies.
Exchange Server is a business-class product, and Microsoft said it had “no evidence” of any impact from the Hafnium intrusions on individual consumers.
The attacks started as early as 6 January 2021 and once Hafnium compromised its victims’ servers it deployed a web shell, a malicious interface that gives hackers the ability to steal data or install malicious software.
In one observed attack, Hafnium operators successfully compressed stolen data into ZIP files for exfiltration, used Exchange PowerShell snap-ins to export emails and installed a connection to a remote server.
Microsoft said Exchange Online is not affected, but confirmed that the Hafnium hackers successfully stole the offline address books of compromised companies, giving them access to data about the organisation and its users.
Researchers at cybersecurity firms Volexity and Dubex uncovered separate parts of the attack and alerted Microsoft.
In its own blog post, Volexity said it detected “anomalous activity from two of its customers’ Microsoft Exchange servers”.
It observed a “large amount of data” being sent to suspicious IP addresses. Volexity’s investigation established that this was a case of a zero-day vulnerability being used in the wild, as opposed to a backdoor.
The four Hafnium zero-day exploits are:
Microsoft is urging organisations to patch these Exchange Server zero-days “immediately” and has published information for doing so here.
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately,” Microsoft said.
Even as it warned of suspected Chinese-government-linked hackers stealing data and sending it back to China, Microsoft announced that it plans to build new data centres in the People’s Republic – a move which could save Hafnium and its allies some effort. China’s National Intelligence Law requires businesses operating on its territory to cooperate with the country’s intelligence services and, if ordered, keep secret the fact that they have done so. Most major nations have similar regulations on their books, with Australia only the latest to bring them in.
As part of its Ignite virtual conference this week, Microsoft said it was making the move to “meet growing customer demand in China”.
Last year video software company Zoom came under fire after it emerged it was routing some of its virtual traffic through servers in China, leading to fears that the Chinese government could demand access to that data.