Security researchers have identified a “highly skilled and sophisticated” Chinese state-sponsored threat actor that’s using exploits in Microsoft Exchange to make away with confidential company data.
The Microsoft Threat Intelligence Center (MSTIC) detected multiple zero-day exploits in its flagship on-premise email server, which it said were primarily being used by the threat actor, dubbed Hafnium. The vulnerabilities have now been patched, and the software company urges all its business customers to update their Exchange server installations.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” suggests Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust.
- These are the best endpoint protection tools
- Checkout our list of the best servers for small businesses
- Here’s our list of the best email service providers
Not a first
According to Microsoft Hafnium primarily goes after targets in the United States. While it’s based in China, it uses leased Virtual Private Servers (VPS) in the US to run its malicious operations.
In a blog post, MSTIC notes that they’re aware of a limited number of targeted attacks that’ve used the now-patched Exchange vulnerabilities.
Analyzing the modus operandi of the attacks, MSTIC says that “the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”
Burt notes that this is the eighth attack by a state-sponsored group that the company has disclosed in the past twelve months. According to reports, the company has briefed and shared its findings about the attack with US Government agencies.
- Check our list of the best disaster recovery services