Microsoft has warned that “highly skilled and sophisticated” hackers linked to China have exploited vulnerabilities in its Exchange Server, with users urged to immediately install the now-available patch.
In a blog post, Microsoft vice-president for customer security Tom Burt said that a hacking group dubbed Hafnium had exploited four newly discovered zero-day security vulnerabilities in its enterprise email product.
The group, which is a “highly skilled and sophisticated actor” according to Burt, is primarily targeting businesses and organisations in the United States in an attempt to steal information, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software,” Burt said in the blog post.
Burt said that Hafnium operates out of China but was using servers located in the US to carry out the recent attacks.
These attacks played out in three steps, Burt said.
Firstly, the hackers gained access to a company’s Exchange Server using either a stolen password or one of the newly discovered vulnerabilities to disguise themselves as someone who should have access to the server.
Once inside, they then created a “web shell” to control the compromised server remotely.
Finally, the hackers then used that remote access to steal data from the victim organisation, including email accounts and address books, and also plant malware.
The attack can be used to compromise vulnerable on-premise services running Microsoft’s Exchange 2013 and later versions.
Microsoft has issued a security update patching the flaws, with all users urged to install it immediately.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” Burt said.
“Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impacted other Microsoft products.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”
This marks the eighth time in the last year that Microsoft has publicly revealed that nation-state actors have targeted institutions that are “critical to society”, Burt said.
The company said that the four newly discovered vulnerabilities that had been exploited by the hacking group were not involved with the recent SolarWinds breach, which impacted US federal agencies.
“The exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks,” Burt said.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”
Late last year, Microsoft said that two North Korea-linked hacking groups had targeted vaccine developers in a number of countries. The South Korean government said it had foiled some of these attempted attacks.
In July last year, Microsoft moved to patch a significant security flaw in its Windows DNS server that had been sitting unnoticed for 17 years, which could have been used to execute remote code on machines from outside of the network.