Earlier this month, Microsoft revealed that a China-based hacker group called Hafnium launched a cyber attack against organizations to exploit four Microsoft Exchange Server software vulnerabilities.

The attacks are carried out in three steps, according to Microsoft.

First, the hacker group obtained access to the Exchange server using stolen account credentials or vulnerabilities to impersonate the user who has access. Second, they gain remote control to the compromised server by creating a web shell, a malicious code that gives attackers remote administrative access. Finally, the group uses the newly created remote access to steal data from an organization’s network.

Hafnium’s primary goal is to extract information from organizations in different industries, such as infectious disease researchers, law firms, higher education institutions, defense contractors, politicians, and non-governmental organizations. Although Hafnium is based in China, the group runs its malicious operations primarily through leased virtual private servers in the United States, Microsoft said.

On March 2, Microsoft released emergency security updates to mitigate these security vulnerabilities in Exchange Server 2013 to 2019. Microsoft has urged all organizations with these versions to patch their servers as soon as possible, prioritizing the external servers.

“We strongly encourage all Microsoft Exchange Server customers to apply these updates immediately,” Microsoft said in a blog post. “Exchange Server is used primarily by commercial customers, and we have no evidence that Hafnium’s activities are directed at individual consumers or that these exploits affect other Microsoft products. Although we have worked quickly to implement an update for Hafnium exploits, We know that many hackers will move quickly to take advantage of any unpatched system. Immediate patching is the best protection against this attack.”

The organizations affected also appear to be those that host their internal installations of Microsoft’s Outlook on the web (OWA) service rather than using the cloud-based version, according to Reuters.

Applying the updates will address the vulnerabilities issue, but it will not guarantee the server has not been compromised. Malicious actors could have created a”foothold” they can use as a backdoor to the network. Microsoft recommends two specific actions:  

• Confirm your Exchange Server patch levels are correct.
• Run script created by Microsoft to find compromise indicators.