On March 2nd, the Microsoft Threat Intelligence Centre (MSTIC) identified zero-day vulnerabilities affecting customers running Exchange Server 2013, 2016 and 2019.
With cyber threat one of the world’s greatest global concerns, this is now the eighth time in the past 12 months that Microsoft has disclosed the targeting of institutions critical to civil society by nation-state groups.
The highly skilled and sophisticated threat actor, Hafnium, operating from China, is being exploited in the wild.
Hafnium exploits have previously been known to target a number of industry sectors within the U.S., pilfering information from infectious disease researchers, law firms, higher education institutions, policy think tanks, defence contractors and NGOs. They are the primary actor seen targeting on-premises Exchange Server software, and carry out the attacks in these three steps:
Accessing an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities to disguise itself as someone who would be perceived to have access.
It would create a ‘web shell’ to control the compromised server remotely.
It will use the remote access run from U.S. based private servers to steal data from an organisation’s network.
According to a CISA alert, “Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild”.
The following day, they issued an Emergency Directive (ED) 21-02 and Alert AA21-062A which addressed critical vulnerabilities in the Microsoft Exchange products. CISA warned, “successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network”. It strongly recommended that organisations examine their systems for any malicious activity and to review the following sources:
A Microsoft blog on the issue assured its readers that they’ve worked quickly to deploy an update for the exploits, but they had concerns over many nation-state actors and criminal groups taking advantage of unpatched systems. They urged their customers to apply the latest patches immediately.
However, their concerns materialised. Attackers worked quickly to find targets across the entire internet, with tens of thousands of victims reported in the U.S. and governments across the globe declaring they too, were compromised. It is thought that more than 30,000 Exchange Servers were hacked across the United States. Email systems in Prague and the Czech Republic’s Labour Ministry have reported hacking incidents, and Norway’s National Security Authority has also raised the alert.
The escalation and severity of events of the last week prompted a rare statement from the Biden administration’s national security adviser, Jake Sullivan.
“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defence industrial base entities. We encourage network owners to patch ASAP.”
The Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), are urging organisations that run Exchange Server to actively look for indicators of compromise using “various tools and logs”. If indicators of compromise are detected in cases where organisations lack forensic skills to further investigate, they should "immediately disconnect Microsoft Exchange on-premises servers."
If organisations do not actively seek to root out all vestiges of the Hafnium hack, they potentially leave themselves open and vulnerable to the further penetration of this compromise through previously installed backdoors.
As we publish, there are already cases of ransomware and cryptocurrency mining being reported, that are resulting from this initial attack. Microsoft has evaluated their defence in-depth with an update for Microsoft Exchange Server 2010 now also being released. Organisations must update out-of-support versions of Exchange Server, to a supported version without delay. On March 12th, the NCSC reported further priority actions, guidelines and advise; take a look here.
Resources that will assess your organisation’s current risk landscape, plan for threat prevention, and respond in the event of an incident, are crucial for Exchange Server users at this time. You can access these measures through the following STORM Guidance services:
Cyber risk assessment
Cyber3 is a 90-minute comprehensive security overview that provides complete insight into an organisation’s cybersecurity resilience. The assessment includes a vulnerability scan by digital forensics experts and an evaluation from the attackers-eye-view.
Planning and prevention
STORM Consulting offers practical and instructive advice that helps businesses understand cyber risk, develop policies, and train for incident response.
Cyber incident response
CyberCare offers SMEs access to the industries best cybercrime incident responders, giving them the best chance of recovering after a compromise, with the least impact to their business.
There appears to be no evidence that Hafnium attacks have targeted individual customers; Exchange Server is primarily used by business customers and does not seem to have affected other Microsoft products. Further, there is no connection between these exploits and the SolarWinds attacks.
If you would like to stay up-to-date with the latest news and services at STORM Guidance, you can sign up to our newsletter here.