China flag depicted on screen with the program code showing Chinese hackers exploiting Microsoft Exchange mail server

CISA and Microsoft Warn of Chinese Hackers Exploiting Several Microsoft Exchange Mail Server Zero-Day Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency alert after suspected state-sponsored Chinese hackers were discovered exploiting Microsoft’s mail server program Microsoft Exchange.

Microsoft noted that the threat actor also installed additional malware to gain persistence on victims’ networks. CISA ordered all government entities to install Microsoft Exchange updates to block hackers.

Microsoft blames state-backed Chinese hackers for the Microsoft Exchange mail server exploits

In a blog post, the tech giant said it had “high confidence” that the Chinese government-backed the threat actors behind the Microsoft Exchange server software breach.

Microsoft says the Chinese hacking group Hafnium exploited four zero-day vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability allowing an attacker to send arbitrary POST requests to Microsoft Exchange systems.
  • CVE-2021-26857 is a remote code execution vulnerability affecting the deserialization process in MS Exchange’s Unified Messaging service. It allows an attacker to run arbitrary code as SYSTEM user on the mail server.
  • CVE-2021-26858 is a remote code execution vulnerability allowing an attacker to write an arbitrary file on any path on the Microsoft Exchange mail server.
  • CVE-2021-27065 is another remote code execution vulnerability with a CVSS v3 score of 7.8. It also allows an attacker to write a file to any Microsoft exchange server path.

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed the installation of additional malware to facilitate long-term access to victim environments,” Microsoft said.

Microsoft Vice President Tom Burt said in a separate blog post that the Chinese hackers targeted “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The tech giant said that the zero-day Microsoft exchange email server exploits allowed the Chinese hackers to access not only the victims’ emails and calendar invitations but also their entire networks.

Microsoft attributed the discovery to Cybersecurity firm Volexity. The firm says that “the attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

Volexity added that the “vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment.”

Independent cybersecurity firms corroborate Microsoft’s hacking claims

The cybersecurity firm FireEye says the Hafnium Chinese hackers exploited Microsoft Exchange Mail Server program since January targeting various organizations.

FireEye says that hacking victims included U.S. local governments, retailers, an engineering firm, a university, a Southeast Asian government, and a Central Asian telecoms company.

Contrarily, the Chinese authorities denied Microsoft’s claim of Beijing’s involvement in the mail server breach.

The Chinese Washington Embassy reiterated the communist government’s spokesman Wang Wenbin’s remarks. Wenbin denied China’s involvement claiming that virtual cyberspace had all kinds of online actors who were difficult to trace. He added that “tracing the source of cyber-attacks is a complex technical issue.”

Wenbin also urged media companies to adopt professionalism and a responsible attitude, and have enough evidence when attributing cyber-related incidents, instead of making groundless accusations.

CISA warns of widespread disruption of federal services and exploitation of the vulnerability

CISA says widespread exploitation of the Microsoft Exchange mail server vulnerability was expected.

Additionally, the federal agency warned of potential disruption of services noting that “federal government services to the American public could be degraded.”

CISA also warned that the Chinese hackers could gain “persistent system access” to victims’ networks by exploiting the Microsoft exchange mail server vulnerability.

However, neither Microsoft nor CISA indicated that the Microsoft Exchange Mail server vulnerability led to widespread exploitation of federal or state computer networks so far.

President Biden’s national security adviser Jake Sullivan urged organizations to install Microsoft Exchange updates to prevent hackers from exploiting the vulnerability.

“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” Sullivan tweeted.

“With organizations migrating to Microsoft Office 365 en-masse over the last few years, it’s easy to forget that on-premises Exchange servers are still in service,” says Saryu Nayyar, CEO at Gurucul. “Some organizations, notably in government, can’t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.”

Katie Nickels, director of intelligence at Red Canary says that although preventing zero-days was difficult, post-exploitation detection was possible.

“We will never be able to stop zero-days, but organizations that practice defense-in-depth and maintain behavioral analytics to alert on common attacks should feel confident about their ability to detect this activity,” Nickels adds. “Some of the activity we observed uses the China Chopper web shell, which has been around for more than 8 years, giving defenders ample time to develop detection logic for it.”