Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium.

What is Zero Day:- A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

The term “zero-day” originally referred to the number of days since a new piece of software was released to the public, so “zero-day” software was software that had been obtained by hacking into a developer’s computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. Once the vendor learns of the vulnerability, they will usually create patches or advise workarounds to mitigate it.

The more recently that the vendor has become aware of the vulnerability, the more likely it is that no fix or mitigation has been developed. Once a fix is developed, the chance of the exploit succeeding deceases as more users apply the fix over time. For zero-day exploits, unless the vulnerability is inadvertently fixed, such as by an unrelated update that happens to fix the vulnerability, the probability that a user has applied a vendor-supplied patch that fixes the problem is zero, so the exploit would remain available. Zero-day attacks are a severe threat.

Zero-day’ vulnerabilities in Microsoft Exchange Server are now being used in widespread attacks against thousands of organisations with potentially tens of thousands of organisations affected, according to security researchers.

The three vulnerabilities, assigned CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 enable threat actors to access victim email accounts and install malware to gain long-term access to their wider environments. According to Microsoft’s Threat Intelligence Center (MSTIC), the campaign is attributed with a high degree of confidence to a group known as Hafnium.

If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.

In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely. 

“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” he added.

Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium.  Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.” 

While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers. 

The Hafnium attackers deployed “web shells” on compromised Exchange servers for the purpose of stealing data and installing more malware. Web shells are small scripts that provide a basic interface for remote access to a compromised system.  According to Brian Krebs, author of Krebsonsecurity, the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organisations in the US have been hacked as part of this campaign.