Microsoft says China-backed hackers are exploiting Exchange zero-days

Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.

The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable on-premise servers running Exchange 2013 and later.

Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the primary threat group it detected using these four new vulnerabilities. (An earlier version of Microsoft’s blog post incorrectly said Hafnium was the “only” group to exploit the vulnerabilities.)

Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.

The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”