Microsoft Says China-Linked Hackers Hit Its Exchange Email Servers
As cybersecurity threats become more and more abundant across the world, Microsoft has now announced a warning to customers, stating that a new China state-sponsored threat actor, whom the software giant called "highly skilled and sophisticated", is exploiting four previously undisclosed security flaws in the company's enterprise email product Exchange Server, according to a press release.
The announcement released on Tuesday, March 2nd, details the hacking group which it calls Hafnium. Microsoft states that it believes Hafnium is targeting a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks, to steal information.
While the group operates out of China, it's using servers located in the U.S. to launch its attacks. Microsoft stated Hafnium used the four newly discovered, and patched, security vulnerabilities to slip into Exchange email servers. When used together, the four vulnerabilities created an attack chain that enabled attackers to steal data such as email accounts and address books from a victim’s organization and granted the ability to plant malware. The on-premise servers running Exchange 2013 and later were affected.
Microsoft stated that Hafnium was the primate threat group it caught using these four vulnerabilities, and while Microsoft didn't elaborate on the number of successful attacks it had seen, the number was reportedly "limited," Tech Crunch reported.
The company quickly deployed an update for the Hafnium exploits, but stated that "we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack." Microsoft is now urging users to download the software patches.
The U.S. government agencies were made aware of the new findings. Microsoft also wrote, "We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services." Previously, the FBI had stated the SolarWinds was "likely Russian in origin," and news has started circulating that it may have begun with an intern's surprisingly easy password.