Hafnium authority hack shows once again: end-to-end encryption is indispensable. Once again, a security incident has the IT world in a tizzy. This time it is several security holes in the widely used mail server Microsoft Exchange that have triggered the disaster. In Germany alone, at least 10,000 Exchange servers were initially affected. Through the aforementioned security holes, an attacker can gain administrator rights on an Exchange server, which gives him access to all emails processed there.
Microsoft - HAFNIUM targeting Exchange Servers with 0-day exploits. Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM.
Experts say Hafnium hacker group, backed by the Chinese government, is responsible for the recent, massive Microsoft cyberattack that has put businesses around the globe at risk. The attack targeted Microsoft's business email software, Microsoft Exchange, and has quickly grown into a global cybersecurity crisis as companies scramble to secure their networks.
What is the Hafnium Microsoft hack. In March, tens of thousands of organisations around the world discovered their private internal discussions had been cracked open and lain bare by a group of Chinese hackers. Four previously undiscovered weaknesses in Microsoft’s Exchange software, known as “zero days” because of the amount of time the company had had to fix the flaws before they were exploited, lay behind the mass hack. The vulnerabilities, which affected software released from 2012 onwards, allowed the group to take permanent control of the corporate servers, siphoning emails, calendars, and anything else they desired.
Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions / The White House is calling it an active threat, promising a ‘whole of government response’.
On-premise versions of Microsoft Exchange Server (one of the most popular enterprise-grade mail servers on the market) are under attack by what is believed to be a state-sponsored Chinese hacking group known as Hafnium.
At least 30,000 organizations in the U.S. have been hacked by a Chinese cyber espionage unit, known as "Hafnium." The group is targeting and exploiting security vulnerabilities in Microsoft Exchange Server email software.
Government IT teams still reeling from the massive supply chain hack involving SolarWinds are now tasked with evicting any adversaries that penetrated their networks through recently discovered vulnerabilities in Microsoft's Exchange software. While updating software will protect systems not yet affected, "patching and mitigation is not remediation if the servers have already been compromised," the National Security Council said in a March 5 tweet.
Microsoft Exchange Server, running entirely on the Windows Server operating systems, is a famous mail server with numerous users around the world. A cyber attack by HAFNIUM, an infamous hacking group put the security of this well-known mail server under question when Microsoft themselves announced back in March 2021 that, HAFNIUM has created some kind of a backdoor and targeting Exchange Servers with 0-day exploits.
The United States and several allies have blamed hackers associated with China’s government for the Microsoft Exchange Server cyberattack and email hack. The hack, first reported in Q1 of 2021, impacted thousands of on-premises email customers, small businesses, enterprises and government organizations worldwide. The following links summarize steps that MSPs and MSSPs can take to patch Exchange Server for customers.
Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in "early" January. A DEVCORE researcher, credited with finding two of the security issues, appears to have reported them around January 5. Going under the handle "Orange Tsai," the researcher tweeted:
Microsoft last week revealed a new hacking group it calls Hafnium, which operates in, and is backed by, China. Hafnium used four previously unreported vulnerabilities — or zero-days — to break into at least tens of thousands of organizations running vulnerable Microsoft Exchange email servers and steal email mailboxes and address books.
On March 5, Krebs on Security reported that the Microsoft Exchange servers of at least 30,000 U.S. organizations, and hundreds of thousands globally, had been hacked. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign “with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.” The US Cybersecurity & Infrastructure Agency (CISA) issued an Emergency Directive for Federal Civilian Branch Agencies and a general document for Remediating Microsoft Exchange Vulnerabilities.
On March 2, Microsoft said there were vulnerabilities in its Exchange Server mail and calendar software for corporate and government data centers. The vulnerabilities go back 10 years, and have been exploited by Chinese hackers at least since January. The group, which Microsoft has dubbed Hafnium, has aimed to gain information from defense contractors, schools and other entities in the U.S., according to a blog post by Microsoft VP Tom Burt. The hack could lead companies to spend more on security software and adopting cloud-based email instead of running their own email servers in-house.
Three months after the exploitation of the Solar winds update by the Russians it’s now time for the Chinese to have their turn. The Solar winds hack was caused by 3rd party agents infiltrating an update to their network monitoring software. This allowed them to view activity and even upgrade user rights to administrator level allowing wider access across systems. The perpetrators did not do any malicious damage, they just stayed in the background and watched.