Security incidents where cybercriminals exploit critical vulnerabilities of Microsoft products have become rampant in recent times. Microsoft Threat Intelligence Center (MSTIC) recently identified a state-sponsored threat actor group targeting unpatched vulnerabilities in Microsoft systems.
Dubbed as Hafnium, the hacking group is suspected to be operating from China, with leased virtual private servers (VPS) in the U.S. Earlier, the group targeted several entities in the U.S. to exfiltrate sensitive data from multiple industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Hafnium’s Attack Tactics
Microsoft’s research team stated that Hafnium is engaged in several attacks by leveraging unknown exploits targeting on-premises Exchange Server software. The Hafnium threat group’s attack vector includes three steps:
- Initially, the group gains access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
- Next, they create what’s called a web shell to control the compromised server remotely.
- Finally, the group uses that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
Microsoft has released security updates to protect customers running Exchange Server on their networks. The technology giant recommended all Exchange Server users and organizations to apply the patches as early as possible.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” Microsoft said.
Microsoft Flaws Raise Fears at White House
Cybersecurity experts recently discovered security flaws in Microsoft software for email and contacts that raised severe concerns at the White House and the highest levels of the U.S. government. The organizations are asked to immediately apply patches to avoid any threats.
“This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat. Everyone running these servers — government, private sector, academia — needs to act now to patch them,” said Jen Psaki, the White House press secretary.