Application security, Threat Management

Microsoft issues critical Exchange Server patches to thwart wave of targeted attacks

Microsoft released patches Tuesday for four critical vulnerabilities Chinese hackers are using in targeted attacks on Exchange Server, SC Media has learned.

On a series of three blog posts to be released Tuesday, Microsoft said targeted hacking from a group operating out of China that the company calls Hafnium, linked together chains of vulnerabilities to garner access.

"We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem," Microsoft noted in the blog post, which was provided to SC Media before release.

Microsoft was quick to caution that this hacking is unrelated to Solarigate.

The initial stage of the attack involves an untrusted connection to a target server over port 443, meaning that aspect of the attack could be mitigated by restricting untrusted connections or using a virtual private network to cordon off the server. But Microsoft warns that if the hackers have already breached the system, or if they can con an administrator to opening a malicious file, that mitigation will not work.

Hafnium is focused on stealing data U.S. firms across a variety of industries, including infectious disease researchers, law firms, defense contractors, higher education, think tanks, and non-government organizations, said Microsoft. It stages attacks through leased virtual private servers in the United States, exfiltrating data through file sharing sites like Mega.

"While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers in the United States," according to Microsoft.

Vulnerable versions of Exchange Server include Microsoft Exchange Servers 2013, 2016 and 2019. Microsoft suggests patching these immediately.

The four vulnerabilities include CVE-2021-26855, a server-side request forgery vulnerability that allowed Hafnium to manipulate authentication. With that authentication, Hafnium could then use either of two file write vulnerabilities also patched today, CVE-2021-26858 and CVE-2021-27065.

The fourth vulnerability, CVE-2021-26857, is an insecure deserialization vulnerability in the Unified Messaging service that allowed the hackers to run code on exchange servers, but required either an additional vulnerability or an administrator's permission to run.

Microsoft credited Volexity and Dubex for reporting different components of the attack.

This article was updated once Microsoft released information about the patches in its blog.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

You can skip this ad in 5 seconds