Over 30,000 organizations across the U.S. – including small businesses, towns, cities, local governments, hospitals, and credit unions – are the victims of a hacking scheme suspected to originate from a surprisingly-aggressive Chinese cyber-espionage unit called HAFNIUM.
HAFNIUM targeted Microsoft Exchange Server email software with 0-day exploits. The group exploited four newly-discovered flaws in the software using tools that gave them total remote control over affected systems – suspected to amount to hundreds of thousands of victim organizations worldwide.
On March 2, 2020, Microsoft released its emergency security updates to plug four security holes in its Exchange Server versions 2013, 2016, and 2019, which attackers used to actively siphon email communications from victims’ Internet-facing systems running Exchange.
According to Microsoft, the Exchange flaws were the target of HAFNIUM, a cyber-espionage unit that Microsoft believes is state-sponsored and operates out of China. The group has already conducted targeted attacks on email systems used across various industry sectors, including law firms, infectious disease researchers, defense contractors, higher education institutions, policy think tanks, and NGOs.
Exchange Servers Hit with 0-Day Exploits
Microsoft reported that it detected multiple 0-day exploits used by HAFNIUM to attack Microsoft Exchange Server’s on-premises version. According to the company, the threat actors used four vulnerabilities to gain access to on-premises Exchange servers that, in turn, enabled access to email accounts.
The group then installed additional malware called web shells to facilitate long-term access and control of victim environments. The web-shells that the intruders left behind are easy-to-use and password-protected hacking tools accessible over the Internet. It gives the malicious actors administrative access and privileges to the victims’ computer servers.
Microsoft Threat Intelligence Center (MSTIC) identified HAFNIUM as the culprit based on past observed tactics, procedures, and victimology.
The four vulnerabilities exploited are:
- CVE-2021-26855 – an SSRF (Server-side request forgery) vulnerability
- CVE-2021-26857 – an insecure deserialization vulnerability within the Unified Messaging service
- CVE-2021-26858 – an Exchange-based post-authentication arbitrary file write vulnerability
- CVE-2021-27065 – an Exchange-based post-authentication arbitrary file write vulnerability
Microsoft urged all its customers to update their on-premises systems immediately to protect and mitigate against further exploits. The company also specified that Exchange Online was not affected by the attacks.
The company added that it chose to share the information about the exploits with its customers and the entire security community to immediately emphasize the vulnerabilities’ critical systems, protect against the exploits, and prevent future abuse in the ecosystem. Microsoft finished by thanking Volexity and Dubex, who first reported the attacks. They also commended the two companies for their collaboration in the investigation.
According to security company KrebsOnSecurity, it received credible information from two cybersecurity experts who had briefed U.S. national security advisors about the attacks. The experts report that the Chinese hacking group involved had seized control over potentially hundreds of thousands of Exchange Servers worldwide. Each victim represented approximately one organization that uses Microsoft Exchange to process email.
Volexity First Reported the Vulnerabilities
Microsoft credited Volexity based in Reston, VA, as being the first to report the vulnerabilities. The company’s president Steven Adair said that Volexity initially noted attackers were discreetly exploiting the Microsoft Exchange bugs as early as January 6, 2021. On the date, most Americans and the world were glued to the television live coverage of the insurrection at the U.S. Capitol.
Since Microsoft released its security updates for the four vulnerabilities identified as the hackers’ access points, Adair reports that the hacking group HAFNIUM has shifted into high gear. Reportedly, the hackers are scanning the Internet for Microsoft Exchange servers, still unprotected by Microsoft’s security updates.
Adair further stated that his company has worked on dozens of cases where the web shells left on the victims’ systems dated back to February 28, 2021. It means that for some victims who patched their servers the same day Microsoft released the updates, there was still a chance there are web shells on their servers. Additionally, there was a high chance that companies running Exchange and have not patched are already compromised.
Adair worries that patching the four flaws only blocks how the hackers are getting into the networks. However, it does little-to-nothing to undo the damage done.
U.S. Government Response
The U.S. Cybersecurity & Infrastructure Security Agency is working closely with Microsoft and other related government agencies and private security companies to ensure it provides the best possible protection and mitigation guidance for Microsoft customers.
According to a Microsoft written statement, the company said that its customers’ best protection is to apply the updates immediately across all impacted systems. Meanwhile, CISA issued an emergency directive ordering federal civilian agencies and departments running vulnerable Exchange servers to either disconnect the Microsoft products from their networks or update the software.
White House press sec. Jen Psaki told reporters that the vulnerabilities and subsequent hacking of Microsoft Exchange servers were significant enough to have far-reaching impacts. She also said that the White House was concerned about a large number of potential victims.
Massive Cleanup Job Needed
Adair and other industry experts believe that rooting out these intruders and other future potential attacks would require an urgent and unprecedented nation-wide cleanup effort. Experts are worried that victims who take long to remove the backdoors risk broadening the attack by having the intruders install additional backdoors and gain access to other portions of the victims’ network infrastructure.
The backdoor web shell associated with the Microsoft Exchange hack is verifiably present on thousands of networks of U.S. organizations such as telecommunication providers, banks, credit unions, public utilities, police, rescue units, and non-profits. It also includes the city and state governments and just about everyone running self-hosted Outlook Web Access and are yet to patch.
Exchange Servers vs. Exchange Online
Microsoft has emphasized that the vulnerabilities did not affect any of the customers running its Exchange Online service. There will be questions about what Microsoft is doing to secure its non-cloud products. Many of the company’s customers have a hybrid system whereby they have one or more on-premises Exchange servers but host their email on Exchange Online.
In The Cloud Technologies specializes in Microsoft Cloud Services, including Microsoft 365, Microsoft Teams, and Azure. We serve Boston, MA, and the New England region. Contact us today and talk to our professionals about your queries or to book your initial consultation.
