Microsoft Exchange is considered a high-value target for hackers looking to penetrate business networks, as it is email server software, and, according to Microsoft, it provides “a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.” In the past, Microsoft Exchange has been attacked by multiple nation-state groups.
On 5 January 2021, security testing company DEVCORE made the earliest known report of the vulnerability to Microsoft, which Microsoft verified on 8 January. The first breach of a Microsoft Exchange Server instance was observed by cybersecurity company Volexity on 6 January 2021. By the end of January, cybersecurity company Volexity had observed a breach allowing attackers to spy on two of their customers, and alerted Microsoft to the vulnerability. After Microsoft was alerted of the breach, Volexity noted the hackers became less stealthy in anticipation of a patch.
On 2 March 2021, another cybersecurity company, ESET, wrote that they were observing multiple attackers besides Hafnium exploiting the vulnerabilities. Wired reported on 10 March that now that the vulnerability had been patched, many more attackers were going to reverse engineer the fix to exploit still-vulnerable servers. Analysts at two security firms reported they had begun to see evidence that attackers were preparing to run cryptomining software on the servers.
On 10 March 2021, security researcher Nguyen Jang posted proof-of-concept code to Microsoft-owned GitHub on how the exploit works, totaling 169 lines of code; the program was intentionally written with errors so that while security researchers could understand how the exploit works, malicious actors would not be able to use the code to access servers. Later that day, GitHub removed the code.