Latest Cyber Attack on Microsoft Exchange Servers

We want you to be aware of the latest major cyberattack that has affected tens of thousands of businesses and organizations in the US, Europe, and Asia.

Microsoft began seeing abuses in the Microsoft Exchange Server as early as January 6th of this year, but a public warning about the attacks wasn’t issued until March 5th, followed by emergency patches released on March 6th.

These cyber-attacks only affect local Exchange servers, so those who only use Exchange Online need not worry. But for everyone else, here are the details you should be aware of:

Microsoft primarily attributes the cyberattacks to a Chinese-government-backed hacking group called Hafnium. There are four 0-day exploits at play, labeled CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

These exploits were first believed to be “limited and targeted,” but they soon became widespread, seeking to exploit any vulnerable system. Their targets have been both businesses and government entities, and it is still unknown what Hafnium’s primary motive is; however, it is most likely that there are a variety of motives, as there are a variety of attackers at play. The exploits create a backdoor to the email servers, allowing the hackers full access to emails. This access to steal emails is viable for the long term if left unchecked.

The patches issued on March 6th do not undo any hack already in the server. They merely prevent future attacks by these particular exploits.

Therefore, the owner of a local Exchange Server must apply the patches immediately (or disconnect the vulnerable servers from the network). It is also important to check whether the server has been hacked already.

There are various steps and actions to take to check the server and completely root out all artifacts of the exploit, and you can find these guides online. However, the easier option is to have Movaci handle everything for you. Contact us and we’ll perform a complete analysis of your server and remove all traces of the exploits.

There’s one more piece to this story that we think important enough to share. The FBI itself has used the backdoor exploits created by Hafnium to enter into vulnerable systems and “close” the backdoors created by the cyber attackers. This is done without the server owner’s awareness.

The FBI claims that this effort has been successfully carried out for hundreds of vulnerable systems. This is amazing in itself, but the fact that the FBI is doing this of its own volition, without the system owners’ consent, may become the bigger headline soon.

What are the future implications of this move by the FBI in the world of cyberwarfare?

In the meantime, both the FBI and Microsoft continue to observe and contend against Hafnium in hopes of gaining the upper hand and learning more about the origins and motives of the attacks.

If we learn any new details about this story, we’ll be sure to share them with you in a future post.