MS Exchange bugs first exploited in January

by Jeremy

Malicious actors were abusing four vulnerabilities disclosed this week in on-premise instances of Microsoft Exchange Server as far back as January 2021, according to a new report produced by FireEye Mandiant researchers Matt Bromiley, Chris DiGiamo, Andrew Thompson, and Robert Wallace.

intrusion detection threat adobe

Disclosed earlier this week alongside an out-of-sequence patch, exploitation of the four vulnerabilities, one rated critical and three medium, was linked by Microsoft to a Chinese advanced persistent threat (APT) group known as Hafnium. However, there is already bountiful evidence to suggest exploitation of the CVEs goes far beyond one group.

In Mandiant’s report, the researchers said that they had observed multiple instances of abuse within at least one client environment, with observed activity including the creation of web shells to gain continued access, remote code execution (RCE), and surveillance for endpoint security solutions from FireEye, Carbon Black, and CrowdStrike.

“The activity reported by Microsoft aligns with our observations. FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643,” said Bromiley, DiGiamo, Thompson, and Wallace in a disclosure blog.

“We anticipate additional clusters as we respond to intrusions. We recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this activity.”

Related Posts

Leave a Comment