Microsoft Hit By Large-Scale Cyber Attack
On 02 March 2021, Microsoft reported that there were vulnerabilities in its Exchange Server mail and calendar software for corporate and government data centres. The vulnerabilities go back 10 years, and have been exploited by Chinese hackers at least since January this year. The group, which Microsoft has dubbed Hafnium, has aimed to gain information from defence contractors, schools and other entities in the United States.
Microsoft has detected multiple Zero-Day Exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Threat Intelligence Centre (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs, and has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks.
In campaigns unrelated to these vulnerabilities, Microsoft has observed Hafnium interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.
Microsoft have detailed that Group operates primarily from leased virtual private servers (VPS) in the United States.
This cyber attack and the likely fallout will most likely stand out as one of the top cybersecurity events of the year, because MS Exchange is still widely used around the world, and may companies to spend more on security software to prevent future hacks, and to move to cloud-based email instead of running their own email servers in-house.
Highlighting concerns from Cyber Agencies globally, the Cybersecurity and Infrastructure Agency (CISA) has issued Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities and Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
Within Australia, Cybersecurity officials are urging people to immediately secure their digital networks warning too many of the nation’s businesses are exposed to attacks.
Amid fears 7000 servers in Australia and more than 30,000 in the US are affected by the threat, the Australian Cyber Security Centre on Tuesday urged the Federal government and the states to urgently “patch” their email networks and protect them from foreign state actors - Hefnium - who sought to make use of the Microsoft vulnerabilities.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments. The ACSC is assisting affected organisations with their incident response and remediation, and has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC urges these organisations to do so urgently.
A spokesman for the Department of Home Affairs said on Tuesday the ACSC was continuing to investigate the Microsoft cyber-infiltrations. “The ACSC provided notification to federal, state and territory government cyber security representatives of the vulnerabilities and the urgent need to patch,” the department spokesman said.
A Chinese Foreign Ministry spokesman in the past week has denied Beijing had any involvement in the cyber attack.
Montane Protective Security provides unique and client-specific cyber and information security solutions for small, medium and large businesses.
Please contact us to learn how we can assist in protecting against malicious online and human-based threats.