Microsoft® Exchange® Servers Suffer Multiple “Zero-Day” Attacks

Microsoft has reported that it has suffered four “zero-day” attacks targeting its on-premises email and calendaring Exchange Server products. These previously undetected and unaddressed (zero-day) attacks have been attributed to the Chinese “Hafnium” espionage group, a criminal organization that typically targets U.S. defense contractors, law firms, and infectious disease researchers. Per Microsoft, these attacks have been successful in exfiltrating email and other sensitive data from the attacked servers. Microsoft has issued software patches that address and mitigate the discovered vulnerabilities.

The reported vulnerabilities apply to on-premises versions of Microsoft Exchange Server. The affected versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019. An additional security update has been provided for Microsoft Exchange Server 2010. Note, however, that Microsoft Exchange Online (i.e., hosted email for business) has not been affected by the vulnerabilities.

The zero-day attacks include various techniques that essentially trick the server into running commands, including those for authentication and exfiltration purposes. According to the firm credited with discovering the attacks, while sophisticated to develop, the exploits are not difficult to use by knowledgeable bad actors.

Microsoft has provided further details regarding the techniques used in the attack, as well as methods to assess if an attack has occurred. Due to the urgency of the situation, it has released the patches to address these vulnerabilities outside its regular patch delivery schedule.

ACA guidance

ACA  Aponix recommends the following:

• Urgently apply the software patches provided by Microsoft if your company uses Microsoft Exchange Server 2010, 2013, 2016, or 2019.
• Verify that vendors managing your Exchange solution apply the software patches as needed. Verify as well that key vendors apply the patch for their own Exchange solution.
• Reach out to ACA Aponix or other trusted third-party service providers for help in detecting potential breaches or applying software patches, should the need arise for these involved processes.
• Ensure that a mandated, company-wide patching policy is in place, and that delivered patches are applied promptly. Test the implementation of the policy to ensure functionality

How we help

ACA Aponix offers the following solutions that can help organizations enhance their cybersecurity:

• Risk assessments and regulatory compliance testing services
• Threat Intelligence, phishing testing, and monitoring
• Operational resilience and governance

Download our Aponix Protect^™ cybersecurity solution brochure.

If you have any questions, please contact your ACA Aponix consultant or contact our cyber team.