Microsoft Exchange 0 Day Cyberattack Explained:

There is another large-scale cyber attack of the year after the Linux Sudo vulnerability (CVE-2021–3156). This time it’s Microsoft’s term to face the attack. According to Microsoft, a group of attackers based out of China exploited several Microsoft Exchange 0 Day vulnerabilities (CVE 2021–26855, CVE 2021–26857, CVE 2021–26858, and CVE 2021–27065) that exist in the Microsoft Exchange code base since 2010. Microsoft Exchange server attack is considered more significant than Linux Sudo vulnerability attack as this is a Remote Code Execution attack, which allows attackers to compromise the Exchange Servers sitting remotely. In this article, we are going to explain What actually happened? Who did it? Why it matters? Why is it important for you? Before diving into the actual topic, we want to share some basic terms used in this field as non-technical people also don’t face difficulties in understanding this article.

What Is Microsoft Exchange?

Well, if you don’t know what Microsoft Exchange is. It is Microsoft’s email, calendaring, contact, scheduling, a collaboration platform. It is deployed on Windows Server Operating System by medium or large-scale industries to manage internal email and calendar services.

What Is Zero Day Vulnerability?

A Zero-day vulnerability is a publicly disclosed vulnerability in a system or an application for which no official patches or security fixes are released by the vendor or owner of the system or application. Zero-day vulnerabilities are often targeted and exploited easily, so they are considered high-severity attacks.

What Is Zero Day Exploit?

An exploit is a piece of code, software, or sequence of commands which takes advantage of a bug or vulnerability on the system or application to gain unauthorized access or compromise for malicious intent. An exploit that attacks on a Zero-day vulnerability are commonly known as a Zero-day exploit.

Suppose you go back to April 2020. DHS CISA warned Microsoft for not patching 82% of Exchange server vulnerabilities. Microsoft has become a victim because of this? Could be.

82% of Vulnerable Microsoft Exchange Servers Remain Unpatched by Health IT Security

Let’s see what actually happened in early March 2021. On 2nd March, Microsoft revealed that a China-based group called Hafnium has been launching Cyber Attacks against various organizations and industries by exploiting four zero-day vulnerabilities in the on-premises version of Exchange software: Exchange 2013, 2016, and 2019. On the other hand, Microsoft confirmed that its cloud-hosted services: Exchange Online and Office 365 are completely safe from these cyber attacks. This proved once again that the cloud is a better option than on-premises.

Microsoft Exchange Hack Explained: Everything You Need to know by 

Thanks toMuhammad Afaq Khan for creating this video.

How has the Microsoft Exchange 0 Day Cyberattack Been Carried Out?

As per Microsoft, the Microsoft Exchange 0 Day cyber attack will be carried out in three phases.

Three Phases were carried out in Microsoft Exchange 0 Day cyber attack

What Is the Purpose of This Microsoft Exchange 0 Day Cyber Attack?

Be clear, The main motive behind this attack is not to cause damage. The attack was launched to steal the data from the Microsoft Exchange Servers.

Who is HAFNIUM?

Hafnium is a cyber espionage group based out of China. It’s believed that this is a Chinas state-sponsored group that is actively involved in many exfiltration attempts. According to Microsoft, “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.” This group operates from leased Virtual Private Servers (VPS) from the United States.

Who Are the Targets of the Microsoft Exchange 0 Day Cyber Attack?

HAFNIUM targets US-based Law firms, Higher Education institutions, Defence Contractors, Think tanks, Infectious disease research organizations, and NGOs. This attack is considered more devastating than Linux Sudo and Solar Winds attacks because HAFNIUM targeted small and medium-sized organizations which don’t have the advanced capabilities or resources to bear the attack.

Microsoft Exchange 0 Day Cyberattack Explained in Chronological Order From the Beginning.

Which Other Cyber Actors Are Involved?

It is also suspected that the attack was not just carried out by HAFNIUM. There are five more names on the list:

This is all about the Microsoft Exchange 0 Day vulnerabilities (CVE 2021–26855, CVE 2021–26857, CVE 2021–26858, and CVE 2021–27065).

Latest News on Proxy Logon Microsoft Exchange Vulnerabilities:

Well, the Proxy Logon Microsoft Exchange vulnerability is again in the news. It’s known that attackers always keep trying new ways to exploit vulnerabilities. This time attackers have been found using the Prometei botnet to compromise Proxy Logon Microsoft Exchange vulnerability (CVE-2021–27065 and CVE-2021–26858) in order to penetrate the network and install Monero crypto-mining malware on the targets. Let’s see how Proxy Logon Microsoft Exchange vulnerability is being exploited by the Prometei botnet?

Please continue reading about the technical details and mitigation steps in the below posts: