Over 30,000 organizations across the U.S. that use Microsoft Exchange Server email software – including small businesses, towns, cities, local governments, hospitals, and credit unions – are the victims of a hacking scheme suspected to originate from a surprisingly aggressive Chinese cyber-espionage unit called HAFNIUM.
HAFNIUM targeted Microsoft Exchange Server email software with 0-day exploits. The group exploited four newly-discovered flaws in the software using tools that gave them total remote control over affected systems. It’s suspected to have amounted to hundreds of thousands of victim organizations worldwide.
On March 2, 2020, Microsoft released its emergency security updates to plug four security holes in its Exchange Server versions 2013, 2016, and 2019. Attackers used these holes to actively siphon email communications from victims’ Internet-facing systems running Exchange.
According to Microsoft, the Exchange flaws were the target of HAFNIUM, a cyber-espionage unit that Microsoft believes is state-sponsored and operates out of China. The group has already conducted targeted attacks on email systems used across various industry sectors. These include law firms, infectious disease researchers, defense contractors, higher education institutions, policy think tanks, and NGOs.
Exchange Servers Hit with 0-Day Exploits
Microsoft reported that it detected multiple 0-day exploits used by HAFNIUM to attack Microsoft Exchange Server’s on-premises version. According to the company, the threat actors used four vulnerabilities to gain access to on-premises Exchange servers. That, in turn, enabled access to email accounts.
The group then installed additional malware called web shells. Web shells facilitate long-term access and control of victim environments. The web-shells that the intruders left behind are easy-to-use and password-protected hacking tools accessible over the Internet. Unfortunately, it gives the malicious actors administrative access and privileges to the victims’ computer servers.
Microsoft Threat Intelligence Center (MSTIC) identified HAFNIUM as the culprit based on past observed tactics, procedures, and victimology.
The four vulnerabilities exploited are:
- CVE-2021-26855 – an SSRF (Server-side request forgery) vulnerability
- CVE-2021-26857 – an insecure deserialization vulnerability within the Unified Messaging service
- CVE-2021-26858 – an Exchange-based post-authentication arbitrary file write vulnerability
- CVE-2021-27065 – an Exchange-based post-authentication arbitrary file write vulnerability
Microsoft urged its customers to update their on-premises systems immediately to protect and mitigate against further exploits. The company also specified that the attacks did not affect Exchange Online.
The company added that it chose to share the information about the exploits with its customers and the entire security community to immediately emphasize the vulnerabilities’ critical systems, protect against the exploits, and prevent future abuse in the ecosystem. Microsoft finished by thanking Volexity and Dubex, who first reported the attacks. They also commend the two companies for their collaboration in the investigation.
According to security company KrebsOnSecurity, it received credible information from two cybersecurity experts who had briefed U.S. national security advisors about the attacks. Alarmingly, the experts report that the Chinese hacking group involved had seized control over potentially hundreds of thousands of Exchange Servers worldwide. Each victim represents approximately one organization that uses Microsoft Exchange to process email.
Volexity First Reported the Vulnerabilities
Microsoft credited Volexity, based in Reston, VA, as being the first to report the vulnerabilities. The company’s president, Steven Adair, said that Volexity initially noted attackers were discreetly exploiting the Microsoft Exchange bugs as early as January 6, 2021. On the date, most Americans and the world were glued to the televised live coverage of the insurrection at the U.S. Capitol.
Since Microsoft released its security updates for the four vulnerabilities identified as the hackers’ access points, Adair reports that the hacking group HAFNIUM has shifted into high gear. Reportedly, the hackers are scanning the Internet for unprotected Microsoft Exchange servers.
Adair further stated that his company has worked on dozens of cases where the web shells left on the victims’ systems dated back to February 28, 2021. For victims who patched their servers the same day Microsoft released the updates, there is still a chance that there are web shells on their servers. Additionally, there is a high chance that companies running Exchange and have not patched are already compromised.
Adair worries that patching the four flaws only blocks how the hackers are getting into the networks. However, it does little-to-nothing to undo the damage done.
U.S. Government Response to HAFNIUM Hacking
The U.S. Cybersecurity & Infrastructure Security Agency is working closely with Microsoft and other related government agencies and private security companies. Their goal is to ensure they provide the best possible protection and mitigation guidance for Microsoft customers.
According to a Microsoft written statement, their customers’ best protection is to apply the updates immediately across all impacted systems. Meanwhile, CISA issued an emergency directive ordering federal civilian agencies and departments running vulnerable Exchange servers to either disconnect the Microsoft products from their networks or update the software.
White House press sec. Jen Psaki told reporters that the vulnerabilities and subsequent hacking of Microsoft Exchange servers were significant enough to have far-reaching impacts. Additionally, she said that the White House was concerned about a large number of potential victims.
Massive Cleanup Job Needed
Adair and other industry experts believe that rooting out these intruders and other future potential attacks requires an urgent and unprecedented nation-wide cleanup effort. Experts worry that victims who remove the backdoors too slowly risk broadening the attack. Intruders could install additional backdoors and gain access to other portions of the victims’ network infrastructure.
The backdoor web shell associated with the Microsoft Exchange hack is verifiably present on thousands of networks of U.S. organizations. Telecommunication providers, banks, credit unions, public utilities, police, rescue units, and non-profits are all among the affected. It also includes the city and state governments and just about everyone running self-hosted Outlook Web Access and have yet to patch.
Exchange Servers vs. Exchange Online
Microsoft emphasizes that the vulnerabilities did not affect any of the customers running its Exchange Online service. There will be questions about what Microsoft is doing to secure its non-cloud products. Many of the company’s customers have a hybrid system. This means they have one or more on-premises Exchange servers but host their email on Exchange Online.
In The Cloud Technologies specializes in Microsoft Cloud Services, including Microsoft 365, Microsoft Teams, and Azure. We serve Boston, MA, and the New England region, so contact us today and talk to our professionals about your queries or to book your initial consultation.