Hafnium is out there

Many people thought that the SolarWinds hack couldn't be topped when it hit the news. But truth be told, just when you think things can’t get any worse, there is always another disaster waiting around the corner with the Hafnium attack flashing up red alerts across social media and in the news. Microsoft named the Hafnium group as responsible for a recent attack that exploits vulnerabilities in Microsoft Exchange (on-premise). And it’s been very effective so far, with an estimated impact on more than 100,000 organizations worldwide – 30,000 in the USA alone, making the potential 18,000 victims of the SolarWind hack seem rather paltry in comparison. Several security analysts have already claimed that all Exchange servers accessible from the Internet are affected. So far reports indicate that vulnerabilities were used to install at least one backdoor allowing unauthorized access to affected servers. Experts are expecting an imminent second wave with cybercriminals returning to install ransomware or other malicious software on exploited systems. Exchange servers often have elevated rights and this makes them prime targets for entering networks laterally in preparation for attacking other systems.

What is Hafnium?

The Microsoft Threat Intelligence Center (MSTIC) published details on the vulnerabilities and exploits to the public on March 2. Microsoft claims that the previously unknown hacking group Hafnium, which is believed to be a state-sponsored group in China, is likely to be responsible for the attack. Hafnium initially targeted servers belonging to medical research institutions, law firms, NGOs and think tanks inconspicuously. They used four zero-day exploits in Microsoft Exchange, which Microsoft was informed about at the beginning of January 2021. It seems that Hafnium and other criminal groups ramped up their efforts as the news of upcoming patches reached them. From the end of February, security analysts observed a sharp rise in network traffic with typical zero-day patterns targeting every Exchange Server accessible from the Internet. Experts have already discovered individual systems with up to eight different backdoors, indicating that the vulnerability, originally known to only one group is now being exploited by competing groups.

Rapid action is needed

Although patches are available, the situation is so dramatic that the Federal Authority for Information Security in Germany (BSI) has issued a red alert. Hundreds of thousands of Exchange servers worldwide are already compromised. In Germany, tens of thousands of servers are affected and more are being reported every hour. To prevent further incidents, rapid action is needed to patch all Exchange servers accessible from the Internet immediately. All versions of Exchange Server from Exchange Server 2010 are affected, although not all to the same extent. This means that the exploited vulnerabilities have been dormant in Microsoft's codebase for over 10 years. It is hard to imagine that they have not already been used for targeted attacks.

In addition to automated patch distribution via Windows Server Update Services, patches are also available for manual installation. Administrators who are using the cloud version of Exchange in their networks need to be aware that while cloud instances are not vulnerable, many of these installations have been implemented in a hybrid model, which includes local on-premise Exchange servers. Although on-premise servers should not be accessible directly from the Internet, experience shows that such cases still exist.

Both Microsoft and the security firm Volexity, the first to discover two of the four zero-day exploits have published comprehensive summaries of the attacks. The Danish security firm Dubex found further zero-day exploits that were used to target their customers and informed Microsoft in mid-January. In detail, CVE-2021-26855 is a "server-side request forgery” that can cause an Exchange server to execute malicious commands. In CVE-2021-26857, commands can be executed under the System account, while CVE-2021-26858 and CVE-2021-27065 allow attackers to store files anywhere in the operating system.

What administrators need to do now

Patching is certainly the order of the day, but it’s not nearly enough. If a server has already been compromised, which administrators should assume, it must be examined for backdoors or immediately reinstalled. Logs should also be checked for evidence of lateral attacks. Regardless of whatever action they take, administrators should immediately back up data on all affected servers to prevent a ransomware attack. A good reference tool for any organization currently under attack is this Microsoft research paper on Exchange defense. Check my OWA is a useful tool for checking whether a domain has been compromised by entering an email address. If the domain appears in this database, an email alert will be sent to the email address entered. However, not all affected servers and domains are listed in the database, so admins still need to be proactive.