Microsoft Corp. says China state-sponsored hackers belonging to the "Hafnium" advanced persistent threat group are still reading emails of large U.S. corporations using its Exchange Server software.
The latest zero-day attack against Microsoft allows Hafnium to steal data from a compromised organization's computer network. Microsoft has released security upgrades to fix the vulnerabilities of its software.
But Microsoft said Exchange, which is the cloud-based version of the service, isn't affected by the hack. Microsoft said four vulnerabilities in its software enabled China to access "email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments."
It encouraged users to download emergency out-of-band patches for these vulnerabilities. Microsoft Exchange Server is an email and calendar server that runs exclusively on Windows operating systems. The current version is Exchange Server 2019.
Microsoft described Hafnium as "a group assessed to be state-sponsored and operating out of China." It said Hafnium was identified by the Microsoft Threat Intelligence Center based on observed "tactics and procedures."
Cybersecurity experts warn this zero-day attack is only the beginning of things to come. A zero-day attack exploits a potentially serious software security weakness a vendor or developer might be unaware of.
Steven Adair, president of cybersecurity company Volexity, is concerned Hafnium will accelerate its activity before organizations are able to install Microsoft's security upgrades.
He said Hafnium hit "defense contractors, international aid and development organizations, the nongovernmental organization think-tank community."
"As bad as it is now, I think it's about to get a lot worse," said Adair. "This gives them a limited amount of opportunity to go and exploit something. The patch isn't going to fix that if they left their backdoor behind."
Volexity was one of the first cybersecurity companies to detect the Hafnium intrusions, which was unmasked by suspiciously large data transfers in late January.
"They're (Hafnium) just downloading email, literally going to town," said Adair.
Hafnium tricked Exchange servers into allowing it access. China hackers did so by masquerading as an access holder. They created ways to control servers remotely and steal data.
Hafnium is based in China but operates from leased virtual private servers in the U.S. - thereby helping it avoid detection. It mostly targets U.S. defense contractors, policy research groups, nongovernmental organizations, infectious disease researchers, law firms and higher education institutions.
Microsoft Threat Intelligence Center said the most common tactics of China hackers included gathering passwords and addresses of email accounts. Hackers infect systems with malware and are "consistently targeting and frequently compromising outdated and unpatched VPN infrastructure."