Microsoft Exchange Server Targeted By Chinese Hackers

If your business uses an on-premises installation of Microsoft Exchange Server, then you need to be aware of the latest threat posed by Chinese state-sponsored hackers who are using vulnerabilities in the application to steal emails and compromise networks.

Microsoft has confirmed that hackers have taken advantage of previously unknown vulnerabilities to carry out attacks that have resulted in emails being stolen but, more worryingly, this has allowed the installation of additional malware that paves the way for long-term access.

The Microsoft Threat Intelligence Center is attributing the campaign to Hafnium, a state-sponsored hacking group based in China that operates primarily from leased virtual private servers in the United States. So far, Hafnium has targeted U.S.-based organisations.

Microsoft’s statement on their Blog continued; “We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem,”

The approach used by the Chinese hackers is to first gain access to an Exchange Server, either with stolen passwords or by using the zero-day vulnerabilities, to disguise themselves as someone who should have access. From there, the hackers create a web shell to control the compromised server remotely.

Fortunately, Hafnium’s activities don’t affect Exchange Online. The Microsoft statement continued; “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches in the best protection against this attack.”

Although the focus of the hackers is primarily the US on this occasion, the lessons are clear for anyone with responsibility for maintaining IT security within their business. At IT Support 365, we proactively manage IT security for our customers, ensuring that protections are in place and networks patched immediately a threat becomes apparent. And to guard against zero-day attacks, we ensure the systems we manage are as prepared as they can be. Various defences are available including virtual local area networks (LANs) to protect transmitted data, the use of a firewalls, and using a secure Wi-Fi system to protect against wireless malware attacks. Individuals and businesses can minimise the risk by keeping their operating systems and software up to date or by using websites with SSL (Security Socket Layer), which secures information being sent between the user and the site.

For advice and support, give our team a call on 0345 051 0600 or email