Hackers backed by the Chinese Communist Party have taken advantage of zero-day exploits in Microsoft Exchange to gain access and spy on computers, Microsoft researchers say. On Tuesday, the company reported on four zero-day vulnerabilities within their exchange servers that were exploited. Once inside, the hackers gained access to email accounts and installed additional malware to enable long-term access to the victims’ computers. Microsoft is urging users to download new updates to patch the vulnerabilities.
In their report, the researchers have identified the hackers as Hafnium, a group which conduct affairs from China and who are believed to be sponsored by the Chinese government.
It is clear from the attack that the hackers are highly skilled and competent, as to take advantage of the exploits required a great degree of knowledge and research, and much sophistication to actually carry out.
Is it currently not believe that the intended targets are individual Exchange users, rather business accounts.
Zero-Day vulnerabilities, though are seemingly becoming more common, are a fairly common occurrence with all forms of software, though usually affecting large updates to Operating Systems.
When a new product or update is released, it can be released with some weakness or vulnerability within the code itself, which can be exploited by hackers.
Finding these vulnerabilities is tricky. It often requires reverse-engineering beta releases, and having a keen understanding of both the programming language and penetration testing.
In the White-Hat hacking community, hackers often complete Bug Bounties for companies such as Microsoft and Google. In these, the hacker finds a zero-day vulnerability and alerts only the company affected. The company rewards the hacker in the form of a bounty, which can be as much as $100,000.
In the Black-Hat hacking community, identifying the vulnerability is the same, but the outcome is different. Freelance hackers may sell knowledge of the exploit on the Dark Web for hundreds of thousands of dollars, though they often belong to a larger hacking organization that will use the exploit for themselves.
Anatomy of the Exploits
Often when exploits are discovered in a release, it may take some time for Microsoft to push for its users to update. However, given the severity of the four discovered, they have advised immediate updates. The four exploits in question are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Hafnium: The Hackers Behind The Attacks
The hackers behind the attack, Hafnium, are believed to be backed by the Chinese Government. Unlike groups like Lazarus, Hafnium have been keeping a very low profile and seems to put more effort into hiding their tracks than other organizations have.
Microsoft claims, “Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Hafnium has a history of exploiting zero-day vulnerabilities of systems that use internet-facing servers. Usually, when they penetrate a network, they exfiltrate data to file share sharing sites like MEGA.
Microsoft has been tracking Hafnium for a number of months after previous attempts by the group on the exchange servers. There have been several cases in the past of Hafnium trying to interfere with Office 365 users.
Protection Against Hackers
There are many steps to take to ensure your business and family are safe against hackers. Updating systems with the latest patches as Microsoft suggest is one step, another being using the right tools to stay protected.
One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.