Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in targeted attacks. In attacks observed, the attackers have used the vulnerabilities to gain unauthorised access to on-premises Exchange Servers which in-turn has enabled access to email accounts and the potential for insertion of malware to facilitate long-term access to victims’ servers.
These attacks have been attributed to HAFNIUM, which are a state-sponsored group operating out of China. The group has been known to primarily target entities in the United States across a wide range of different sectors, however this does not stop them from potentially targeting other victims in other countries around the globe.
Microsoft have released several updates that not only patch the exploits but also provide useful updated tools and investigation guidance for businesses to help them determine whether they have been compromised by these exploits and how to resolve them, which can be found here:
Currently, Microsoft advises that ALL businesses using an internet-connected, on-premises Exchange Server should apply the latest security patches/updates immediately. However, if this is not possible, businesses may use the ‘On-Premises Mitigation Tool’, which is designed to help customers who are not familiar with the update process or who have not yet applied the on-premises Exchange security update, to apply the necessary mitigations to prevent the exploit from being used, found at:
It is important to note that the above mitigation tool is designed to be used as a temporary solution until the exchange server can be properly updated/patched!