Cybercriminals are racing to exploit four zero-day bugs in Exchange before more organizations can patch them.
Organizations that run Microsoft Exchange Server are being urged to apply several bug fixes to the program in response to a hack from a Chinese cybercriminal group. The attack has sparked concern among everyone from security experts to the White House.
Early last week, Microsoft revealed that a China-based group called Hafnium has been launching cyberattacks against organizations by exploiting four zero-day vulnerabilities in on-premises versions of its Exchange Server software. The attacks are being carried out in three steps, according to Microsoft.
First, the group is able to gain access to an Exchange server either by using stolen account credentials or by using the vulnerabilities to masquerade as someone who should have access. Second, the group is able to control the compromised server remotely by creating a web shell, a piece of malicious code that gives attackers remote administrative access. Third, the group uses the remote access to steal data from an organization’s network.
The primary objective of Hafnium is to exfiltrate information from organizations in different industries, such as infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations. Though Hafnium is located in China, the group runs its malicious operations mainly through leased virtual private servers in the U.S., Microsoft said.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
In response to the hack, Microsoft has released several security updates for Exchange Server to mitigate the zero-day vulnerabilities. Noting that the flaws affect Exchange Server 2013, 2016 and 2019, Microsoft has urged all organizations with these versions to patch their servers as soon as possible, putting a priority on servers that are externally facing.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” Microsoft said in a blog post. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products. Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”
Affected organizations also appear to be ones that are hosting their own internal installations of Microsoft’s Outlook on the web (OWA) service instead of using the cloud-based version, according to Reuters. Calling this Microsoft Exchange/OWA hack a pretty elaborate attack, Michael Isbitski, Technical Evangelist at Salt Security, told TechRepublic that he suspects this will impact a lot of organizations still operating their own mail infrastructure rather than using a SaaS like Microsoft 365.
Patching the flaws will protect your organization if you haven’t already been targeted. But those that have been attacked are still vulnerable through infected servers and the lingering web shells that Hafnium can use as a backdoor. To help Exchange users tell if they’ve been compromised, Microsoft recommends two specific actions: Check your patch levels of Exchange Server, and scan your Exchange log files for indicators of compromise. A script from Microsoft can automatically scan your Exchange servers for IOCs.
A blog post from the Microsoft Exchange team and a post from the Microsoft Security Response Center both offer additional details on installing and troubleshooting the patches and investigating for IOCs.
What if your organization has been compromised?
“Patching their Exchange servers will prevent an attack if their Exchange server has not already been compromised,” said Vectra CTO Oliver Tavakoli. “But it will not undo the foothold attackers have on an already compromised Exchange server. Remediation will not be simple–it will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets, and restoring the remaining backup data.”
At least 30,000 organizations in the U.S. have been hacked so far due to the Exchange Server flaws, multiple sources told security news site KrebsOnSecurity. In the days following the availability of Microsoft’s patches, Hafnium ramped up its attacks on unpatched Exchange servers around the world, according to security experts. Steven Adair, president of Volexity, a company that reported the vulnerabilities to Microsoft, told KrebsOnSecurity that the China-based group shifted into high gear to scan for Exchange servers not yet protected by the security patches.
SEE: Patch management policy (TechRepublic Premium)
The assault against Microsoft Exchange is 1,000 times more devastating than the SolarWinds attack, said Cybereason CEO Lior Div. This is because Hafnium targeted small and medium-sized enterprises, which are the driver of the global economy.
“Just when we are starting to turn the corner after a devastating year, this attack against SMEs is launched,” Div said. “This attack is potentially even more damaging because SMEs don’t typically have as robust a security posture in place, allowing threat actors to prey on the weak and drive strong revenue streams this way.”
The attacks by Hafnium have triggered responses from different government agencies and departments in the U.S. The Cybersecurity & Infrastructure Security Agency issued a warning on March 6, advising organizations to run Microsoft’s script to detect for IOCs. Another advisory from CISA indicated that all federal civilian departments and agencies running Microsoft Exchange on-premises products are required to update or disconnect the products from their networks until the Microsoft patches are applied.
Even the White House has gotten involved. On Friday, White House press secretary Jen Psaki, who referred to the vulnerabilities as “significant” and ones that “could have far-reaching impacts,” cited concerns that there are a large number of victims, according to Reuters. On Sunday, a White House official said that patching and mitigation were not enough for any organizations that were already compromised and urged those with vulnerable Exchange server to take steps to determine if they had been targeted.