Microsoft patches four zero-day bugs impacting Exchange Server

Microsoft blames Chinese actor Hafnium for having already exploited the faults

Microsoft has released out-of-band security updates to address four zero-day bugs that are being actively exploited by hackers to compromise Exchange Server.

The flaws affect Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. Microsoft advises organisations running these products to apply the patches as early as possible.

The Exchange Online service is not affected by these vulnerabilities, which are indexed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

According to Microsoft, all these bugs are remote code execution (RCE) vulnerabilities and could enable hackers to access email accounts and to install additional malware to facilitate long-term access to compromised networks.

"The initial attack requires the ability to make an untrusted connection to Exchange server port 443," the company said.

Volexity, the cyber security firm credited with uncovering these vulnerabilities, which have already been exploited by attackers, described CVE-2021-26855 as a server-side request forgery flaw that enables attackers to steal mailbox content.

The second bug, CVE-2021-26857, allows attackers to execute code under the System account, while CVE-2021-27065 and CVE-2021-26858 let attackers write a file to any part of the server.

Microsoft is attributing the attacks to a newly identified state-sponsored threat actor, which they called Hafnium. Hafnium is a highly sophisticated actor, according to Microsoft, with its members thought to be based in China.

In the past, the group has been observed targeting laws firms, biomedical researchers, educational institutions and defence contractors in the US, with aim of exfiltrating sensitive information from their systems. While the group is thought to be based in China, it primarily carries out operations using leased virtual private servers in the US.

Recent attacks by Hafnium were carried out in three steps. First, it used zero-day bugs or stolen passwords to gain access to an Exchange Server. Then it created a web shell to control the compromised server remotely, and finally, it used the remote access to exfiltrate sensitive data from compromised systems.

Microsoft said that the four vulnerabilities patched by it were in no way connected to SolarWinds-related attacks.

"We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services," the company said.

In January, Microsoft disclosed that the hackers behind the SolarWinds security breach were able to access some of Microsoft's source code, although they could not make any changes to it.

The company said that an internal investigation into the incident revealed "unusual activity with a small number of internal accounts". When those accounts were further reviewed, it was found that hackers used one account to view "source code in a number of source code repositories".

"The account did not have permissions to modify any code or engineering systems," and the investigation confirmed that no changes were made to the code, Microsoft added.