Chinese hackers allegedly hit thousands of organizations using Microsoft Exchange

Thousands of organizations may have been victims of cyberattacks on Microsoft Exchange servers conducted by China-linked threat actors since January.

At least tens of thousands of Microsoft customers may have been hacked by allegedly China-linked threat actors since January, including business and government agencies.

The attacks started in January, but the attackers’ activity intensified in recent weeks according to the experts at security firm Volexity.

Volexity experts were investigating the compromise of Microsoft Exchange servers belonging to its customers when discovered that the attackers exploited a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). 

“The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment.” reads the analysis published by Volexity. “The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

Microsoft confirmed the attacks against the Exchange servers that aimed at stealing emails and install malware to gain persistence in the target networks.

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” wrote Microsoft. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

Last week Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange. 

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

The US CISA released the emergency directive, titled “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” to order federal agencies to urgently update or disconnect MS Exchange on-premises installs.

“CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.” reads the advisory published by US CISA.

“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”

CISA urges agencies that have the expertise to collect forensically triage artifacts and determine the presence of any anomalous behavior or an indication of compromise,

The popular investigator Brian Krebs speculates that at least 30,000 Microsoft customers were impacted by the hacking campaign.

“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.” reported Krebs. “The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”

Chinese authorities denied any involvement in the recent attacks.

“China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyberattacks is a complex technical issue.” said Wang Wenbin, a spokesman for China’s Ministry of Foreign Affairs “It is also a highly sensitive political issue to pin theof cyberattack to a certain government.”

Volexity experts observed an escalation of the attacks in late February, when attackers started chaining multiple vulnerabilities and targeting a larger number of victims.

“During the course of multiple incident response efforts, Volexity identified that the attacker had managed to chain the SSRF vulnerability with another that allows remote code execution (RCE) on the targeted Exchange servers (CVE-2021-27065).” continues Volexity. “In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.”

Researchers at the MS Exchange Server team have recently released a script that could be used by administrators to check if their installs are vulnerable to the recently disclosed vulnerabilities. 

Microsoft released the tool as open-source on GitHub, it can be used to check the status of Exchange servers. 

The script automates the tests for the four zero-day vulnerabilities in Microsoft Exchange Server. 

“Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021.” states CISA.

“CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised. For additional information on the script, see Microsoft’s blog HAFNIUM targeting Exchange Servers with 0-day exploits.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]