Microsoft Exchange logo

WASHINGTON: The Cybersecurity and Infrastructure Security Agency released an advisory overnight in which it “strongly urges” the immediate patching of Microsoft Exchange servers as a widening range of threat actors continue to actively exploit four zero-day vulnerabilities initially targeted by China.

CISA also published an informational web page that contains detailed guidance on detecting and remediating the recently disclosed vulnerabilities in Microsoft’s widely used email server.

The CISA advisory characterizes ongoing exploitation of the vulnerabilities as “widespread and indiscriminate.” The informational web page highlights that threats to organizations extend beyond stolen email. These vulnerabilities open the door to multi-stage hacks, which could include follow-on ransomware and “even a destructive attack,” CISA notes.

The advisory comes as security professionals are increasingly observing multiple threat actor groups, from nation-states to cryptominers, exploit the zero-day vulnerabilities in what Recorded Future characterizes as “a free-for-all against Exchange servers.”

The guidance page is remarkable in that it’s organized by information “for leaders” and “for IT security staff.” CISA advises leaders to “immediately address this incident” and provides representative questions to ask security professionals working to mitigate threats. CISA suggests leaders get “frequent updates” from security staff, whether in house or third party, until vulnerabilities have been fully remediated.

The informational page provides security professionals with a comprehensive set of links to information, guidance, and tools created by Microsoft and CISA to detect and mitigate vulnerabilities.

CISA’s overnight advisory is just the latest in what has been a week of repeated dire warnings to organizations. Former CISA Executive Director Chris Krebs tweeted last week: “This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.”

As the scale and scope of the hacking campaign become clearer, questions turn to broader issues, such as the timing of the campaign’s discovery, how the stolen information might be used, and what the U.S. response might be. These questions are tricky to answer concretely right now because there is still much more to learn.

In Microsoft’s Mar. 2 disclosure of the four zero-day vulnerabilities, the company identified a previously unknown China-based group the tech giant dubbed HAFNIUM as the initiator and original primary threat actor. Microsoft expressed high confidence in its assessment and attribution, based on threat intelligence and forensic evidence the company gathered.

Chinese cyberespionage is not exactly new news. Dean Cheng, senior research fellow at the Heritage Foundation, told Breaking Defense, “This is part of the much larger Chinese effort to constantly be ferreting out new vulnerabilities and then exploiting them — with no end in sight.”

But the timing of the campaign’s discovery raises questions. Companies Microsoft, Volexity, and now Dubex all say they independently observed a threat actor exploiting the Exchange server vulnerabilities in early January. The earliest known public mention of two of the four zero days appears to be a Jan. 5 tweet by a DEVCOR security researcher using the Twitter handle Orange Tsai. So the campaign was discovered not only during a presidential transition, but during one of the most uncertain presidential transitions in living memory.

However, it is difficult now to read too much into the timing because of unanswered questions. For instance, it is unclear right now if a threat actor had been exploiting these vulnerabilities even before January and, if so, for how long. It is also uncertain whether a threat actor discovered the four zero days recently and immediately began exploiting them, given their value, or instead found them sometime earlier and has been saving them for an opportune time to strike.

Nicholas Eftimiades, an expert on Chinese cyberespionage and a contributor to Breaking Defense, told us that “China’s strategy since the Biden administration won office has been to escalate offensive operations in cyber, military, propaganda, and diplomatic domains. We have seen this globally. This strategy is designed to put the U.S. and other nations in a defensive posture as negotiations begin on geopolitical and economic issues.”

That doesn’t necessarily mean this particular hack being discovered at this particular time was anything more than a “coincidence,” Eftimiades cautioned, saying the information available is too limited to do more than “speculate.”

Heritage’s Cheng doesn’t see this campaign as necessarily being linked, directly or specifically, to the presidential transition or new administration. Asked whether this might be China “testing” the new administration early on, Cheng said, “No, because the Chinese have never stopped their cyberattacks and intrusions. The Chinese will pay close attention to the Biden administration response. And they are clearly pushing Biden broadly — telling him to back off supporting Taiwan, for example. But that does not mean it’s a ‘test,’ as though if Biden responds strongly he ‘passes’ or ‘fails’.”

“Cyberattacks are, and will continue to be, a key part of Chinese foreign policy, defense policy, and economic policy,” Cheng added. “No matter who is POTUS, that will continue. So, there’s not much ‘testing’ going on.”

Given the estimated large number of victims, there’s only sparse publicly available information right now on who the specific victims of this hack are. Microsoft said it has observed HAFNIUM operating against a range of targets, including “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”

Other security industry observers said last week that, following public disclosure, threat actors with no apparent connection to HAFNIUM had already begun actively exploiting the vulnerabilities. The motivations of these distinct threat actor groups may not be cyberespionage, as HAFNIUM’s primary motive appears to be.

There are still questions about exactly how much and precisely which types of information have been exfiltrated from victim organizations. “Information of all sorts matters, and the ability to access that information is an integral part of [China’s] strategy,” Cheng observed. “Thus, the Chinese are interested in economic, political, military, and technological information. As important, they may use military cyber specialists to obtain economic information, or certain dedicated university’s faculty and students to obtain political or military information. It is much more of a whole-of-society approach to espionage.”

As for the potential uses of stolen data, “Depending on the kind of information that is accessible via the Microsoft Exchange servers, the Chinese will exploit all of it.” To what end? Cheng said possibilities range from “building very substantial relationship networks” to understanding what organizations’ “decision-making process comprises.”

Cheng noted emails are not the only information likely being stolen here. There are also email attachments and email address lists. “Tie said address lists to other information, such as OPM databases or credit reports,” he said, referring to the 2015 U.S. Office of Personnel Management breach and the 2017 Equifax breach, “and you can start building out who might be vulnerable in an organization, or who might be an intelligence officer.”

Though this is just the latest campaign, it likely won’t be the last in cyberspace or by other avenues, Cheng said. “Espionage — our term, not theirs — is absolutely integral to the broader goal of obtaining information. The Chinese, sort of like the Borg in Star Trek, seek out information. They will buy it. They will license it. They will steal it. All as part of the broader effort to modernize key industries and improve competitiveness.”