Four bugs in Microsoft Exchange Server are being actively exploited in widespread attacks

Photo (c) Thana Prasongsin - Getty Images

Customers are urged to apply emergency patches immediately

Security researchers are warning that four zero-day vulnerabilities in Microsoft Exchange are now being used in attacks against thousands of organizations. 

Microsoft said Exchange customers should apply the emergency patches that it recently released as soon as possible because "nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems."

Over the weekend, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said it was "aware of widespread domestic and international exploitation" of the vulnerabilities. 

Easy to exploit bugs 

The bugs -- which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 -- are being used in attacks by a Chinese espionage group known as “Hafnium,” researchers said. The group was found to have deployed “web shells” on compromised Microsoft Exchange Servers with the aim of stealing data and installing malware. 

“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said. “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

Chris Krebs, the former director of CISA, believes state and local government agencies and small businesses will be more widely affected by the attacks than large enterprises. 

"Incident response teams are BURNED OUT & this is at a really bad time," Krebs wrote. 

Around 30,000 organizations in the U.S. have been affected by the attacks, according to Brian Krebs of 

"The intruders have left behind a ‘web shell,’ an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers," Krebs said. 

Take an Identity Theft Quiz. Get matched with an Authorized Partner.