Microsoft has warned its business customers of potential attacks on the Microsoft Exchange Server, which could result in the loss of sensitive company data.
The attacks, which Microsoft claims originates in China, target specific vulnerabilities in the software. The vulnerabilities can be closed by updating via a recently released Microsoft patch.
If the software is infiltrated by the attacks, the hackers can place malware on a system, which could potentially allow for long term access.
Vulnerability of the Microsoft Exchange Server Found
First, the bad news. This is a vulnerability in the Microsoft Exchange Server application – a platform that is commonly used by businesses worldwide to handle email. The good news is that it has already been fixed, and can be remedied with the download of a patch.
The threat targets a specific, previously identified vulnerability in the email app. According to Microsoft, the hacking group behind the incident have been observed to wage “limited and targeted attacks” that allow for the installation of their own malicious software on the affected servers.
The news of the vulnerability was revealed on Microsoft's security blog, which has been proactive in alerting customers to potential hacks and issues across its range of products. Microsoft has offered practical advice on how to handle potential attacks, and warned who is behind them.
Identifying this particular exploit was handled by Microsoft in conjunction with security companies Volexity and Dubex, with further, detailed information available on the latter's blog.
“We strongly urge customers to update on-premises systems immediately” – Microsoft Security Blog
Who is Behind the Attack?
The group behind this latest attack, according to Microsoft, is Hafnium, a China-based group which it calls a “highly skilled and sophisticated actor”. The group is Chinese in origin, though activity is carried out via virtual private servers in the United States.
Hafnium has a three-pronged attack strategy when it comes to infiltrating the Microsoft Exchange Server. First, it gains access to the Exchange Server with stolen passwords, or via known vulnerabilities. Then, a web shell is created to control the server remotely. Lastly, this remote access is used to siphon data from the compromised company.
Once established, it's possible for the hacking group to continue to have unfettered access to the server, and continue siphoning off information indefinitely.
Previously, in instances where Hafnium has gained access to a network, it has moves data to file sharing sites, such as MEGA.
How to Fix the Microsoft Server Exchange Vulnerability
It's commonplace for companies to keep details of exploits under wraps until there is a fix in place. This helps to mitigate the potential damage that could be done.
This incident is no exception, and along with the news that the vulnerabilities exist and had been exploited, Microsoft also released a new patch.
For businesses using Microsoft Server Exchange, it's important that the patch is downloaded and applied as soon as possible, whether you think you have been targeted or not.
The software update can be found on Microsoft's site.
If you're concerned that your system may have been attacked through this method, Microsoft has also included some potential signs to look out for, including spotting unusual activity and checking log files for clues.