US local governments targeted by Microsoft Exchange zero-day Vulnerabilities Exposing them to Geo-Poli-Cyber Motivated Hacks

On March 2, Microsoft warned that the four zero-day vulnerabilities — now tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were being exploited by threat actors. The vulnerabilities could be exploited to compromise servers running Exchange Server 2013, 2016, and 2019 software.

“This discovered vulnerabilities exposed local and federal US governments operations and entities to Geo-Poli-Cyber motivated attacks which have greater  potential damage consequence than financially motivated hacks, such as ransomware.  They directly impact people lives and livelihood. The exploits enable hacker to leverage information they gathered from such Zero-Day vulnerabilities to perpetrate attacks such as the recent attack on Florida’s water treatment system  where hackers tried to remotely poison the water supply:” said an MLi Group Cyber Survivability and Security Zero-Day expert.

Survivability News Report

Geo-Poli-Cyber Hackers successfully Breach Florida’s Treatment System to Remotely Poison Water Supply

Microsoft has urged customers to immediately apply patches provided to fix the vulnerabilities, but as is often the case with the disclosure of zero-days, cyberattackers are quick to exploit them.

A wave of attacks against US targets has been tracked that abuses the Exchange security flaws.

Among the latest victims are local government entities, an unnamed university, an engineering company, and a host of retailers in the United States.

This month, one threat actor was observed using at least one of the vulnerabilities to deploy a web shell on a vulnerable Exchange server in order to “establish both persistence and secondary access,” according to the team. In two cases, cyberattackers sought to delete existing administrator accounts on Exchange servers.

Credential theft, the compression of data for exfiltration, and the use of PowerShell to steal entire email inboxes were also recorded. Covenant, Nishang, and PowerCat tools are being used to maintain remote access.

The compromise of two other entities, a Southeast Asian government and a Central Asian telecommunications firm, may be related to this campaign.

The activity that has been observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments and which is  followed quickly by additional access and persistent mechanisms.

Microsoft has previously attributed attacks to Hafnium, a Chinese state-sponsored advanced persistent threat (APT) group. The APT has been connected to assaults in the past against US defense firms, the legal sector, researchers, and think tanks.

More clusters of intrusions are expected to appear, a problem that will likely be ongoing until more vulnerable servers are patched.  Kaspersky says that there is a high risk of ransomware and data theft.

Microsoft Exchange users are urged to update their software as quickly as possible.

In related news this week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to immediately tackle the Microsoft Exchange vulnerabilities.

Have a tip or scoop? Do you have info about corruption that needs to be investigated and responsibly exposed ? Get in touch securely via WhatsApp at +44 7771 927378 | Signal at +447766 098270