Microsoft announces in a blog post that a group of hackers, “highly skilled and sophisticated”, is targeting the professional e-mail software Exchange. Its objective is to steal the contents of the mailboxes of its victims.
In response, the American firm published a patch for four “zero-day” vulnerabilities, that is, vulnerabilities that have not yet been detected and documented. She also alerted the relevant US government agencies to the situation. However, she declined to say how many successful attacks.
NGOs, lawyers … targeted
The Microsoft Threat Intelligence Center (MSTIC), a group of experts specializing in computer security, claims that this group of cybercriminals, dubbed Hafnium, is linked to China. It targets American entities, such as infectious disease researchers, law firms and NGOs to steal information from them.
Hafnium’s modus operandi consists of three steps. The first is to access an Exchange server with stolen passwords or by using undiscovered vulnerabilities. Then, the hackers set up a web shell to remotely control the compromised server. Finally, they use this remote access – executed from VPS located in the United States – to exfiltrate data.
Mike McLellan, director of intelligence for Dell Technologies Inc’s Secureworks, told Reuters that he had noticed “a peak of activity“affecting the Exchange servers on Sunday night. A dozen clients of his company would have been affected.
Microsoft in the spotlight from SolarWinds
Microsoft products have come under scrutiny since the SolarWinds attack, revealed last December, which resulted in the compromise of several versions of Orion software. Indeed, the Redmond firm announced that the hackers had accessed certain parts of Azure’s source code related to “identity and security”, to the secure professional messaging Exchange and to the administration tool of Intune mobile devices. On the other hand, it claimed that none of its products or services served as a relay of attack.