Summary of Hack:
On March 2, 2021 Microsoft released patches to tackle four server vulnerabilities in Microsoft Exchange software. At the time of this release Microsoft released a statement saying the bugs were being actively exploited in "limited, targeted attacks."
According to Volexity attacks using the four zero-days may have started as early as January 6, 2021. On March 12 Microsoft focused its investigation on whether the hackers obtained the credentials needed to gain access to the Exchange Server by a Microsoft partner. It is suspected that hackers got possession of Proof-of-Concept attack codes that Microsoft had shared with antivirus companies as part of the company's Microsoft Active Protections Program (Mapp.)
While Microsoft has been quick to issue fixes, the scope of potential Exchange Server compromises depends on the speed and uptake of patches. The list of potential victims continues to get longer the more is discovered about this attack.
At least 30,000 organizations are already thought to have been attacked in the US, but the number may be much larger globally.
Vulnerabilities:
ProxyLogon is the name for the critical vulnerabilities from the attack. They impacts on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange online is not affected.
The vulnerabilities can be used in what's referred to as an attack chain where when combined they can lead to Remote Code Execution, server hijacking, backdoors, data theft, and potentially further malware deployment. Microsoft says that attackers can secure access to an Exchange server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.
Responsible Parties:
Microsoft reports that attacks using the zero-day flaws have been traced back to Hafnium which is a state-sponsored advanced persistent threat group from China. They are described as "highly skilled and sophisticated" as a company.
Are you affected? What to do:
In Microsoft’s initial assessment it claimed that Hafnium has previously targeted organizations in sectors such as infectious disease research, legal, higher education, defense, policy think tanks and NGOs. However, there are suggestions that the latest expansive wave of attacks may be the work of other threat actors. Whatever the source, former CISA boss Chris Krebs warns that SMBs, education sector organizations, and state and local governments may be disproportionately affected as these often have fewer resources to spend on security.
Immediately apply the patches supplied by Microsoft. Applying the available patches should be a top priority. If unable, disconnect any vulnerable servers you may be running.. At this time, anyone with an Exchange server needs to take investigative steps to check for signs of compromise.
Need Help:
If you need assistance applying patches and checking for vulnerabilities our team of experts is here to take care of you. Contact us to begin the process.