Microsoft Exchange Server exposes tens of thousands of organisations to cyber attack

Hackers can install tools that allow total remote control over affected systems

At least 30,000 organisations across the United States have been compromised through four newly-discovered vulnerabilities impacting Microsoft's Exchange Server email software.

A Chinese espionage group has seeded "hundreds of thousands" of organisations worldwide with "tools that give the attackers total, remote control over affected systems," says security researcher Brian Krebs.

In each incident, the attackers left behind a web shell: a password-protected hacking tool that can be accessed over the Internet from any browser, providing administrative access to the victims' servers.

Microsoft released security updates to address the bugs on 2^nd March, and advised customers using Exchange Server to patch the systems as earliest as possible.

However, it appears that the updates prompted the Chinese group - which Microsoft has dubbed 'Hafnium' - to step up its attacks on servers that have not been patched.

Security researchers have now warned that Microsoft's security patches cannot disinfect systems that have already been hacked.

'Patching and mitigation is not remediation if the servers have already been compromised,' the National Security Council stated on Saturday.

'It is essential that any organisation with a vulnerable server take immediate measures to determine if they were already targeted.'

Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency (CISA) (not affiliated with the Krebs on Security blog), said organisations that run an on-premises Exchange server exposed to the internet can "assume compromise" between the 26th February and 3rd March.

"This is the real deal," he warned.

Microsoft has updated its post on the Hafnium attacks twice since the 2nd March, adding a scan for indicators of compromise and new mitigation guidance.

White House press secretary Jen Psaki has said the vulnerabilities "could have far-reaching impacts," adding the White House is concerned about the increasing number of victims.

"This is an active threat," Psaki said.

Port 443

Microsoft says the four new bugs are remote code execution (RCE) vulnerabilities, which could enable hackers to access email accounts and install additional tools to facilitate long-term access to compromised networks - such as the web shell.

'The initial attack requires the ability to make an untrusted connection to Exchange Server port 443,' the company said last week.

The flaws, indexed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, affect Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.

The Microsoft Threat Intelligence Center (MSTIC) identified Hafnium as the culprit. The group is thought to be based in China and has attempted to steal information from groups such as law firms, infectious disease researchers, defence contractors and higher education institutions.

Hafnium carried out its recent attacks in three steps: first, it used zero-day bugs or stolen passwords to gain access to an Exchange Server. The attackers then created a web shell to control the compromised server remotely; and finally, used their remote access to exfiltrate sensitive data from compromised systems.

A spokesman for the Chinese government told Reuters that the country was not behind these cyber attacks.

Microsoft credited cyber security firm Volexity for discovering and reporting the Exchange bugs.