Microsoft reports 'new attack by Chinese government hacker using vulnerability of Exchange Server'


Craig Nagy

On March 2, 2021, Microsoft reported on its official blog about a cyberattack by a Chinese government-affiliated hacker group. The hacker group, named ' Hafnium, ' is trying to steal information from a wide range of organizations by using a vulnerability in Microsoft's e-mail product, Exchange Server.

New nation-state cyberattacks --Microsoft On the Issues

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails — Krebs on Security

Microsoft issues emergency patches for 4 exploited 0-days in Exchange | Ars Technica

Microsoft says Chinese hackers targeted groups via server software | Reuters

According to Microsoft's Threat Intelligence Center (MSTIC), Hafnium is a highly sophisticated hacker group backed by the Chinese government, primarily American infectious disease laboratories, law firms, higher education institutions and defense contractors.・ It is said that it is stealing important information by launching cyber attacks targeting policy think tanks and NGOs. Although Hafnium is based in China, the attacks are believed to be primarily from virtual private servers hosted in the United States.

It is reported that it was

the American security company Volexity that notified Microsoft of the Hafnium attack. Hafnium reportedly launched an attack on Exchange Server using four zero-day vulnerabilities : CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. is.

According to Tom Bart, Vice President of Consumer Security at Microsoft, Hafnium's attack procedure is as follows:

1: A hacker impersonates a person who has access to an Exchange Server by exploiting a stolen password or zero-day vulnerability.
-2: Create a backdoor to remotely control the compromised server.
・ 3: Steal data from the target network by remote access via a virtual private server in the United States.

According to Veloxity President Stephen Adale, the series of attacks was first discovered on January 6, 2021. Although the method used by Hafnium seems to have required a high level of technical skill to develop, Adale believes that it requires little technical effort in actual use, and attackers can easily vulnerable to Exchange Server. It is said that it is possible to steal data by piercing the sex.

Mr. Bart, VP of Consumer Security, said that Hafnium is targeting US entities, targeting consumers, and vulnerabilities affecting Microsoft products other than Exchange Server. It has not been confirmed. In addition, it is said that the vulnerability of Exchange Server found this time is not related to the cyber attack on the US government using the defect of SolarWinds software discovered in 2020.

Finding new evidence of hacking into the U.S. government using flaws in SolarWinds software-GIGAZINE

Microsoft has already released a security update to protect users of Exchange Server and is urging all users to apply the update quickly.

Although the type of vulnerability used is different from this attack, it has been reported that Chinese hackers have used the vulnerability of Exchange Server to attack American organizations in the past.

It turns out that a Chinese hacker used a vulnerability such as Microsoft Exchange Server to attack the US government --GIGAZINE

in Software,   Security, Posted by log1h_ik