March 2, 2021

Microsoft Corp. today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.

The software giant typically releases security updates on the second Tuesday of each month, but it occasionally deviates from that schedule when addressing active attacks that target newly identified and serious vulnerabilities in its products.

The patches released today fix security problems in Microsoft Exchange Server 2013, 2016 and 2019. Microsoft said its Exchange Online service — basically hosted email for businesses — is not impacted by these flaws.

Microsoft credited researchers at Reston, Va. based Volexity for reporting the attacks. Volexity President Steven Adair told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021.

Adair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization’s email if their vulnerable Exchange Servers are directly exposed to the Internet.

“These flaws are very easy to exploit,” Adair said. “You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.”

Microsoft says the flaws are being used by a previously unknown Chinese espionage group that’s been dubbed “Hafnium,” which is known to launch its attacks using hosting companies based in the United States.

“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said. “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

According to Microsoft, Hafnium attackers have been observed combining all four zero-day flaws to target organizations running vulnerable Exchange Server products.

CVE-2021-26855 is a “server-side request forgery” (SSRF) flaw, in which a server (in this case, an on-premises Exchange Server) can be tricked into running commands that it should never have been permitted to run, such as authenticating as the Exchange server itself.

The attackers used CVE-2021-26857 to run code of their choice under the “system” account on a targeted Exchange server. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — could allow an attacker to write a file to any part of the server.

After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server, Microsoft said. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Neither Microsoft nor Volexity is aware of publicly available code that would allow other cybercriminals to exploit these Exchange vulnerabilities. But given that these attacks are in the wild now, it may only be a matter of days before exploit code is publicly available online.

Microsoft stressed that the exploits detailed today were in no way connected to the separate SolarWinds-related attacks. “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

Further reading:

Microsoft’s writeup on new Hafnium nation state cyberattacks

Microsoft technical advisory on the four Exchange Server flaws

32 thoughts on “Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails

  1. E.M.H.

    Microsoft’s documentation on this is pretty good: They’ve listed IoCs, descriptions of the activities seen, detection scripts for Azure hosted Exchange, etc.

    The CVSS score for the SSRF vulnerability is a 9.1. Ouch. That one’s a “I’m going to be late for dinner tonight” patch for Exchange service administrators.

    It’s not great that this flaw was present, but it looks like it’s being addressed as well as it can be. That’s a good thing.

    1. BrianKrebs Post author

      Some perspective from a reader on Linkedin

      Thanks for the alert Brian. Don’t think Office 365 customers are in the clear. Most implementations we have deployed over the years, and Microsoft best practice recommendations always recommend a Hybrid Exchange Server on-prem for AD 2-way password sync functionality. Also needed for SMTP Relay and some other purposes. Microsoft offers free Exchange Server software license to any client with a single 365 Enterprise E3 subscription to encourage this as well.

      So …. most clients have an Exchange Server on-prem when they have Office 365 for email.

      Which means they need to patch that server now.

      Most CXO non-technical managers who hear “only affects Exchange Servers on-prem and not Office 365” will breathe a sigh of relief incorrectly.

      Make sure to help others understand this.

      1. E.M.H.

        He’s 100% right. Hopefully orgs that deploy hybrid will have the common sense to recognize this… but yeah, it bears mentioning. And highlighting. And all caps. 😀

        Also, remember: O365/Exchange Online may not be *vulnerable* to this flaw, but in hybrid environments – especially for those in transition to full online – those stolen credentials from on-prem compromises can be used in O365 if the accounts are synched and the identity is the same in both on-prem and Azure AD/Exchange. So not being affected doesn’t necessarily mean can’t be penetrated.

        If anyone knows of something that stops an on-prem credential theft from affecting O365, please let me know. Also, chime in if I get anything wrong; there’s still a ton of stuff I’m learning about the Microsoft cloud environment, and I don’t want any mistakes I make to go uncorrected. But the above is how I understand things.

      2. E.M.H.

        Oh, wait… I just realized I basically restated what that LinkedIN commenter said. Heh…. guess I should’ve read more closely. My fault.

        1. Eh

          I’m curious to know what the risk is if your Hybrid servers are not directly accessible via the internet (isn’t that best practice?)

      3. Ishaan

        Does any of these affect Microsoft Exchange Server 2016 Cumulative Update “14” ?

        1. Peter C

          From what I understand all flavors of Exchange 2013, 2106 and 2019 are vulnerable.

          You should update to CU19 in addition to applying this latest security updates as there are other exploits that were patched in CU17 and CU18

      4. JamminJ

        In a hybrid environment, it should be possible to have strict firewall rules, IP Whitelisting that restricts traffic only to connections from Microsoft Azure/O365.

        An organization which has migrated to O365, can still have on-prem exchange servers. But I can’t think of a reason to allow them wide exposure to the internet anymore.

      5. Anita


        What’s the name of the update that I need to use to update my Microsoft accounts? Gmail, OneDrive, etc.

        I keep updates on all of my devices. Thank you

  2. The Sunshine State

    This isn’t in my wheel house :–)

  3. UPSers

    Microsoft credited researchers at Reston, Va. based Volexity for reporting the attacks. Volexity President Steven Adair told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021.

    1. OndraH

      Has anybody information when these actively exploited vulnerabilities were reported to MS? It is unusual that it took almost two months from spotting exploitation of unpatched vulnerability to releasing fixes. Especially in such case, where majority of deployments have vulnerable interface (i.e. OWA) open to the public network.

  4. epayitonline

    Thanks for updating us with the latest information.

  5. directswing

    Watch out when using the KB for 2013 CU23. It doesn’t restart all of the required services so be sure and check that before coming out of maintenance mode.

    1. Xeiran

      And providence help you if you cancel the CU23 update in the middle like I did – it not only stops but also disables most Exchange services as well as various OS services like WWW and IISadmin before continuing its update – and if you cancel the update (because you just now realized it is immediately impacting business rather than leaving running processes alone and only queueing them for update upon restart) it will leave all those services disabled – good luck figuring out which were originally automatic vs manual vs originally disabled.

  6. Jeffrey

    Note the timestamp on the files in the update… MS patched this on the 12th of February. My guess is they were hoping to wait out until Patch Tuesday, but things got out of hand last weekend.

    1. BR

      I did a lookup on MXToolbox and it looks like they are Office365.

    2. JamminJ

      No, but Qanon does.

      Stop with the conspiracy reaching.

    3. Mike Skips

      Like the voting machines were connected to Exchange servers. Grow up!

  7. mahi patel

    If I can write like you, then I would be very happy, but where is my luck like this, really people like you are an example for the world. You have written this comment with great beauty, I am really glad I thank you from my heart.

  8. iMessage PC

    After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server, Microsoft said. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.

  9. OndraH

    The “pre-AD” Exchange versions (4.0 to 5.5) were well designed and also well written. For example, installation/patching/uninstallation of Exchange Server didn’t need reboot of underlying OS. One design point was applying principle of least privilege and indeed the Exchange services didn’t require high privileges – we normally ran those under non-admin service accounts, of course with appropriate ACLs set so the services could do their work. This changed with version 2000, which was completely rewritten (except ADC, where its DS was taken from 5.5) and quite problematic (withdrawn after RTM and re-released with vital fixes). Most of Exchange 2000 services ran under LocalSystem account, so we asked MS people: “Did the developers get mad? Why all that stuff runs unrestricted?” Their off-record response was that the new version was developed in a hurry to align most of their product portfolio with introduction of AD in Windows 2000 and all the shortcuts done during accelerated development will be addressed in subsequent service packs and future releases. But it never happened. Today there is a lot of code in Exchange server that processes data from untrusted sources and runs in unrestricted context. Of course, running those service restricted would not prevent exploitation of current vulnerabilities, but it surely would limit the attacker what he can do after exploitation. Now we are facing complete compromises of systems running affected Exchange services due to Microsoft’s omission of basic security design principles, known at least since 70’s.

  10. Vee

    I’m going to bet money that Office 365 is more affected than currently reported. My org, which uses Office 365 through a MSP that likely has a hybrid on-prem server on their end, was hit last week with a bizarre case of 50,000 outbound spam emails sent in a few minutes tied to our tenant, but not originating from any of our mailboxes – seems like it was being used as an open relay.

    The originating IP for all of these spam emails was, which is a Digital Ocean IP (just like the other IPs tied to this attack, at least according to Huntress). Subject was “advence” (sic) with a lightning-bolt emoji, and all recipients seemed to be email addresses. Sending address was always spoofed as “support{x} AT {x}”, where {x} was a random four-digit alphanumeric string.

    When the issue was reported to the MSP last week, it was because our tenant had suddenly been blocked by Microsoft for a high volume of outbound spam, with no mailbox logs to support that. The MSP opened a ticket with Microsoft, who apparently claimed it was “related to a connector,” the spam ban was lifted an hour later, and that was the end of it until we started looking into it further on our end.

    MSP still hasn’t officially made a statement about it, but we’re technically just paying for Office 365. I’m not sure how they run things on their end in terms of hybrid servers, but my point is, the scope will likely be a lot bigger than Microsoft is currently reporting.

    1. JamminJ

      There are likely many other vulnerabilities that could explain spammers. Open relay for sure.

  11. marc

    “…first spotted the attacks on Jan. 6, 2021…”
    Generally published by media Mar 5th
    Nice work everyone – I guess I’m only 2 months late finding out about it.

  12. marc

    Jan. 6, 2021!
    Why is this lit up just this week 3/2-3/4 then?

    1. BrianKrebs Post author

      Because Microsoft issued patches for the flaws on Tuesday. So, this is being viewed as mad rush to compromise all vulnerable systems while they are still unpatched. A race against the clock, basically.

  13. Saeed

    I ran the PS script of MSFT and it seems it has detected some suspicious activites int eh logs, what should I do now, we have hybrid setup and on premise exchange dont have any onsite mailboxes, just took over the enbiroemtn a year ago, 443 and 25 were still forwarded to the on premise exchagne server, I have since disabled this as I dont see any incoming traffic on these ports for on premise exchagne server but nothing it is mentioned what to do if you see these suspiciou activites int he logs, mine is Exchange 2013 CU19 and I will be updating it to CU23 and applyign the patch but what next for me..please help..

  14. Sarah

    This is all well and good except for the fact that it says nothing of how to report any problems resulting from the breach besides using the new security patch, which I can’t even find to install/update. My info has been further comprised and I need to know where to go from here?

Comments are closed.