Security Advisory: Multiple Microsoft Exchange exploits being used by Threat Actor Hafnium

Microsoft has recently just announced a security update with regards to a set of new exploits found being primarily used by a state-sponsored threat actor based in China which Microsoft has called Hafnium. The previously unknown exploits used by Hafnium targets on-premise exchange server software to gain initial access to the network by disguising themselves as someone with access privilege. They then create what is known as a web shell to gain control over the compromised server remotely, making it easy to steal data.

Affected Servers and the Remediation

The exploits used by Hafnium targets Microsoft Exchange Servers, so users of Microsoft Exchange Online are not affected. Below are the versions that can be targeted by the exploits:

  • Microsoft Exchange Server 2013 
  • Microsoft Exchange Server 2016 
  • Microsoft Exchange Server 2019

Microsoft highly recommends that businesses with the affected Exchange servers immediately update them with the latest security updates to ensure protection against the exploits. If you are unable to immediately do so for all servers, Microsoft has said that you need to first prioritize external facing servers as they are the most vulnerable to these attacks but ultimately you would need to update them all to stay safe. Listed below are the security patches released by Microsoft for each exploit:

Is it possible to check if I have been already affected by these exploits?

Microsoft has released a detailed guide on ways to check you network logs to see if you have been affected, you may refer to this link if you would like to read more on it.