In an attempt to get long-term access to victim environments, Chinese government-sponsored hackers have targeted Microsoft Exchange Server versions on-site, using zero-day vulnerabilities.
The Redmond, the tech giant headquartered in Wash, said that hackers have used previously unknown vulnerabilities to make small and selective on-site Exchange server attacks. This allowed access to the victims’ email addresses, which allowed new malware to be installed that would pave the way for long-term access.
Hafnium, a state-sponsored Chinese-based hacker community working predominantly from rented, automated privacy servers in the United States, is the focus of the Microsoft Threat Intelligence Center campaign. In order to exfiltrate information, Haffnium targets US-based infectious diseases academics, policy think tanks, higher education schools, law firms, defence contractors and NGOs.
The Microsoft Threat Intelligence Center wrote in a blog: “We shared this information with our clients and the safety community to underline the important existence of these vulnerabilities and the value of patching all affected devices urgently so as to avoid potential misuse across the ecosystem.”
First of all, the Chinese hackers will be able to reach an Exchange Server either through compromised credentials or with the use of zero-day vulnerabilities to masquerade themselves as someone who ought to have access to it.
The hackers used one loophole to steal the complete contents of a variety of user mailboxes, which involved knowledge of both the Exchange operating server and their email address account mentioned Volexity, a Virginia-based cybersecurity firm. The fault is exploitable remotely and does not require Volexity to be authenticated or to have any unique information or access.
If Hafnium must authenticate with the Exchange server, the hackers may either jeopardize legit admin credentials or benefit from the third or fourth weakness of Microsoft to write a file on every server route. Hackers have downloaded a book about exchange from infected networks containing knowledge about an enterprise and its customers.