The Disaster of the Hafnium Attack on Microsoft Exchange
and What to Do About It
– Stel Valavanis
A vulnerability, initially detected and reported on in January, has been used in a zero-day exploit to gain access to web facing Microsoft Exchange email servers. The vulnerability was patched by Microsoft on February 28th, after a hacking group known as Hafnium, tracked by the cybersecurity community and tagged as a Chinese state-sponsored intelligence operation, used the exploit and the attack was detected. In one of the most serious directives to date, “The DHS Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-02 on March 3, requiring federal agencies to comply by noon, EST, on March 5.” This attack is now being characterized as a “global cybersecurity crisis”. The level of attack, number of victims, and method of exploit are all unprecedented.
As part of the attack, Hafnium installed a web shell on targeted servers, allowing easy and difficult-to-detect access to those servers thereafter. Microsoft’s patches close the vulnerability but do not mitigate the use of an installed webshell, so if a server was attacked prior to 2/28, they are still at risk, even if they acted immediately upon the patches’ release. Victims are only now discovering their compromised status, and are left to attempt remediation, using the little information currently available on the attack.
Normally, Microsoft would have a patch ready and announce the newly discovered vulnerability along with the patches. But, this time, as Microsoft was preparing, a flood of attacks began, suggesting some sort of leak. The attacks seemed to be primarily from Hafnium and this forced Microsoft to issue an urgent patch request and then the DHS action. Soon after, other cybercriminals joined in the frenzy making this perhaps the most severe attack in history, considering both the pace and the impact that a compromised email server represents for corporations and governments.
onShore Security has provided mitigation as part of our service with a statement to our clients seen below. We’ve also provided a short list of immediate actions any company running Microsoft Exchange should take. Underlying this is a serious concern for our amazingly free and open Internet. Will serious vulnerabilities be the norm, considering even the most powerful companies in the world can fall short and are clearly targets? Are we naive in our thinking that the strong can protect us? Is our economic and political posture in the world always a disadvantage? What expectations should we have of nation-state actors let alone cybercriminals? I welcome discussion along these lines. If we want to remain free and open, these are the sorts of questions we need to answer.
The following are five steps your organization can and should take today to protect yourself from this attack.
1. Patch your system or take it offline immediately.
If unable to patch immediately, Microsoft offers some specific actions to take to mitigate the risk in the meantime.
2. Use threat data to determine if you were targeted.
Along with the patches to remove the vulnerability that hackers exploited to build their webshell on Exchange servers, Microsoft also released a script that can be used to scan a network for Indicators of Compromise, as well as the Microsoft Support Emergency Response Tool.
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.
3. Restore data/system from backup.
If targeted, you will need to rebuild your Microsoft Exchange server. Though /RecoverServer can be used for part of the process, experts such as Japp Wesslius have found that some parts will need to be done manually, such as, importing the SSL certificate, setting the Exchange Virtual Directories, and relocating the SMTP Queue database.
4. Establish policy and procedure to detect for the exploit.
Use the IOC released to tune systems to detect for this now known CVE. Also, systems can be tuned to look for characteristic behaviors of Hafnium’s attach, such as authentication bypassing, use of Nishang commandlets or PowerCat, or the creation of child processes. Individual users can take advantage of Microsoft’s AccountGuard service, which has been expanded to include additional features for potential victims of this attack.
5. Review patch management policy and permissions.
Attackers use the higher levels of permission associated with administrator and remote desktop user accounts to access parts of your network and to give themselves further, unfettered access. Reviewing the roles and who should and should not have such permissions (according to your policies) should be part of your continued remediation and protection effort.
Patch management policy and practice is also worth looking at, as unpatched organizations are still falling victim to Hafnium’s attack, as well as new efforts by other groups, taking advantage of the exploit to access unpatched systems.
onShore Security has released the following guidance to our clients:
Microsoft Exchange On Premise Vulnerabilities
On Tuesday, March 2nd, 2020, Microsoft issued emergency patching for Microsoft Exchange Server 2013, 2016, and 2019. These patches were issued in response to critical vulnerabilities discovered in Exchange servers exposed to Internet connections. With the release of these software patches, threat intelligence feeds have shown a significant increase in malicious actors attempting to discover and exploit these zero-day vulnerabilities, prior to the implementation of patching. Organizations utilizing vulnerable on-premise Exchange servers should ensure that these patches have been applied as soon as possible.
onShore Security updated its Panoptic sensors with detection capabilities for these exploits on the evening of March 2nd, 2020. However, as these exploits utilize TLS/SSL encrypted connections on TCP/443, visibility may be limited for Panoptic clients not providing packet decryption capabilities or Exchange Server log feeds to onShore Security’s Panoptic Sensors. If you are unsure of your organization’s security data feeds, please contact your Security Analyst.
Microsoft’s distributed patches address CVE-2021-26855, a “server-side request forgery” (SSRF), which allows attackers to run commands on the Exchange server itself; CVE-2021-26857 which allows attackers to run arbitrary code utilizing the system account; along with CVE-2021-26858 and CVE-2021-27065 which allow the attackers to write and read data from the Exchange server itself. All of these vulnerabilities have been observed being exploited by a presumed Chinese group designated Hafnium, utilizing US based resources for their attacks. However, with the release of these CVE’s, and the associated patches, numerous other malicious actors are attempting to exploit these vulnerabilities. While these vulnerabilities are limited to Microsoft Exchange, they could easily be leveraged to gain a foothold into a targeted network to allow for longer, more persistent, access.
On Wednesday, March 3rd, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-02 instructing all governmental agencies and civilian contractors to inspect vulnerable Exchange servers for indicators of compromise and to forensically preserve and disconnect those having positive indications. Additionally, organizations showing indications of compromise have been instructed to monitor network connections and hosts beyond Exchange Services for potentially malicious activity.
At this time, onShore Security believes these vulnerabilities, and their exploits, represent a critical risk to clients utilizing on-premise Microsoft Exchange services. Organizations which have not yet applied patching should do so as soon as possible, or severely limit access to Internet-facing Exchange services to only known and authorized IP addresses. As a premier Managed Detection and Response provider, onShore Security is committed to continuing monitoring for abnormal or malicious activity within its clients’ resources.
Chief Technology Officer
Creator: Bob Mical | Credit: Photography by Bob Mical
Copyright: Attribution 3.0 United States (CC By 3.0 US)