Multiple zero-day exploits have been detected by Microsoft in regards to their Exchange on-premises servers, and are being used to attack these systems in limited and targeted attacks. The attacks have been attributed to a group named Hafnium, and they are targeting entities across a number of industry sectors including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGO's.

These zero-day attacks are being performed in a chain that includes a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content, a Remote Code Execution (RCE) vulnerability that was used to run code under the System account, and two other zero-day flaws that allow an attacker to write a file to any part of the server. Combined, these four flaws form an attack chain that allow attackers to gain initial access to these systems by merely finding the servers running Exchange and finding the account from which they want to extract email. From there, they can utilize web shells on the server to gain more ground on the system and make more changes, giving them the opportunity to steal data and perform other malicious actions.

Microsoft is urging users of the Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 to apply the patch updates immediately to protect their systems against these exploits. They are also recommending that users restrict untrusted connections or set up a VPN to separate the Exchange server from external access to stop the initial stage of the attack. 

The Cybersecurity and Infrastructure Security Agency has also issued an emergency directive detailing instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment. Click here to view the CISA directive.