Microsoft warned enterprises using its on-premises Exchange Server platforms of multiple 0-day exploits being used in limited and targeted attacks. The exploit does not affect Microsoft 365 or Azure Cloud deployments.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM, which primarily targets entities in the United States across a number of industry sectors, exfiltrates data to file sharing sites like MEGA. The group is believed to use leased virtual private servers (VPS) in the United States to launch their attacks
In the attacks observed, HAFNIUM used the newly discovered vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
According to media reports, the attack potentially compromised up to 30,000 organizations.
Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server. In addition, Microsoft has released alternative mitigation techniques for Exchange Server customers who are not able to immediately apply updates that address vulnerabilities.
Separately, the U.S. Cybersecurity and Infrastructure Security Agency issued a directive requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks.
In addition, the European Banking Authority confirmed that it was compromised by the attack, and that as a precautionary measure, the EBA has decided to take its email systems offline.
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/