Microsoft Fixes Exchange Server Flaws Exploited by Hafnium Threat Actor
Microsoft has warned that Hafnium, a state-sponsored threat actor operating from China, has been exploiting four previously unknown vulnerabilities in Microsoft Exchange Server software to gain access to networks of targeted organizations and exfiltrate data. The attacks target on-premises Exchange Server software. Microsoft has released updates to address the vulnerabilities. They affect Microsoft Exchange Server 2013, 2016, and 2019.
Note this only applies to on-premise Exchange servers, Microsoft 365, aka Exchange Online, is not impacted. The vulnerabilities being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. While not vulnerable, the update includes patches for Microsoft Exchange Server 2010 for defense in depth; in other words patch all versions of Exchange from 2010 forward. While a migration to MS 365 may on your strategic roadmap, that migration takes significant time, planning and orchestration, and can be disruptive. Accelerating that plan, or initiating one from scratch, is not an effective alternative to patching these vulnerabilities. Patch first then resume your migration as planned.
Read more in
Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
MSRC: Multiple Security Updates Released for Exchange Server
Dark Reading: Microsoft Fixes Exchange Server Zero-Days Exploited in Active Attacks
The Register: Microsoft fixes four zero-day flaws in Exchange Server exploited by China's ‘Hafnium’ spies to steal victims' data
ZDNet: Microsoft: These Exchange Server zero-day flaws are being used by hackers, so update now
Ars Technica: Microsoft issues emergency patches for 4 exploited 0-days in Exchange
Cyberscoop: Microsoft warns of state-sponsored Chinese hackers exploiting multiple zero-days