Microsoft: MSN

Critical Zero-Day Exploit in Progress: Microsoft Confirms Active Attacks on Exchange Servers

Microsoft has issued an urgent warning about a zero-day vulnerability (CVE-2024-21410) actively exploited in targeted attacks against on-premises Microsoft Exchange Servers. The flaw, classified as a privilege escalation vulnerability, allows threat actors to gain SYSTEM-level access the highest privilege level on compromised servers.

Key Details:

• Who: Microsoft’s Security Response Center (MSRC) and cybersecurity firm Trend Micro identified the attacks, attributing them to a Chinese state-sponsored group tracked as HAFNIUM, previously linked to the 2021 Exchange Server breaches.
• What: The vulnerability enables attackers to bypass authentication and execute arbitrary code remotely. Successful exploitation could lead to data theft, lateral movement within networks, or deployment of ransomware.
• When: Attacks were first detected in early January 2024, with Microsoft confirming exploitation in the wild on February 13, 2024. A patch was released as part of February’s Patch Tuesday updates.
• Where: Targets include U.S. and European organizations, particularly in government, defense, and critical infrastructure sectors. Unpatched Exchange Servers (versions 2013, 2016, and 2019) are at risk.
• Why: The campaign appears espionage-driven, with attackers exfiltrating emails and sensitive documents. Microsoft noted the group’s use of custom malware to maintain persistence.

Impact:

• Over 220,000 Exchange Servers remain unpatched globally, per Shodan scans, leaving them exposed.
• The flaw is chained with other exploits to maximize damage, including CVE-2024-21413, a separate Exchange Server vulnerability patched in the same update.
• Organizations running hybrid Exchange environments (on-premises + cloud) are advised to prioritize patching, as attackers may pivot to cloud resources post-compromise.

Microsoft’s advisory urges immediate patching, though no workaround exists for the flaw. The incident underscores the persistent targeting of Exchange Servers by advanced threat actors.

Source: https://www.msn.com/en-gb/money/other/co-op-and-m-s-food-supplier-hit-by-ransomware-attack/ar-AA1Fdzd1?apiversion=v2&domshim=1&noservercache=1&noservertelemetry=1&batchservertelemetry=1&renderwebcomponents=1&wcseo=1

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1773980784",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': ['Government',
                                     'Defense',
                                     'Critical Infrastructure'],
                        'location': ['U.S.', 'Europe'],
                        'name': 'Microsoft Exchange Server Users',
                        'type': 'Organizations'}],
 'attack_vector': 'Remote Code Execution',
 'data_breach': {'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Emails, sensitive documents'},
 'date_detected': '2024-01-early',
 'date_publicly_disclosed': '2024-02-13',
 'description': 'Microsoft has issued an urgent warning about a zero-day '
                'vulnerability (CVE-2024-21410) actively exploited in targeted '
                'attacks against on-premises Microsoft Exchange Servers. The '
                'flaw allows threat actors to gain SYSTEM-level access, '
                'enabling data theft, lateral movement, or ransomware '
                'deployment. Attacks are attributed to the Chinese '
                'state-sponsored group HAFNIUM.',
 'impact': {'data_compromised': 'Emails, sensitive documents',
            'operational_impact': 'Lateral movement within networks, potential '
                                  'ransomware deployment',
            'systems_affected': 'Microsoft Exchange Servers (2013, 2016, '
                                '2019)'},
 'investigation_status': 'Ongoing',
 'motivation': 'Espionage',
 'post_incident_analysis': {'corrective_actions': 'Patch deployment, '
                                                  'monitoring for lateral '
                                                  'movement, hybrid '
                                                  'environment security '
                                                  'review.',
                            'root_causes': 'Unpatched Exchange Servers, '
                                           'zero-day vulnerability '
                                           '(CVE-2024-21410)'},
 'recommendations': 'Immediate patching of Exchange Servers, prioritize hybrid '
                    'environments, monitor for lateral movement.',
 'references': [{'source': 'Microsoft Security Response Center (MSRC)'},
                {'source': 'Trend Micro'},
                {'source': 'Shodan scans'}],
 'response': {'communication_strategy': 'Microsoft advisory urging immediate '
                                        'patching',
              'containment_measures': 'Patching (February 2024 Patch Tuesday '
                                      'updates)',
              'remediation_measures': 'Immediate patching of Exchange Servers',
              'third_party_assistance': 'Trend Micro'},
 'stakeholder_advisories': 'Microsoft advisory urging immediate patching.',
 'threat_actor': 'HAFNIUM',
 'title': 'Critical Zero-Day Exploit in Progress: Microsoft Confirms Active '
          'Attacks on Exchange Servers',
 'type': 'Zero-Day Exploit',
 'vulnerability_exploited': 'CVE-2024-21410 (Privilege Escalation), '
                            'CVE-2024-21413'}