Microsoft Fixes Exchange Server Flaws Exploited by Hafnium Threat Actor
Microsoft has warned that Hafnium, a state-sponsored threat actor operating from China, has been exploiting four previously unknown vulnerabilities in Microsoft Exchange Server software to gain access to networks of targeted organizations and exfiltrate data. The attacks target on-premises Exchange Server software. Microsoft has released updates to address the vulnerabilities. They affect Microsoft Exchange Server 2013, 2016, and 2019.
Note this only applies to on-premise Exchange servers, Microsoft 365, aka Exchange Online, is not impacted. The vulnerabilities being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. While not vulnerable, the update includes patches for Microsoft Exchange Server 2010 for defense in depth; in other words patch all versions of Exchange from 2010 forward. While a migration to MS 365 may on your strategic roadmap, that migration takes significant time, planning and orchestration, and can be disruptive. Accelerating that plan, or initiating one from scratch, is not an effective alternative to patching these vulnerabilities. Patch first then resume your migration as planned.