Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium. Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software.The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
We’re focused on protecting customers from the exploits used to carry out these attacks. Today, we released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately. Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.
Exchange Server
In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.
In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.
Not one, but four zero-days
Typical zero-day attacks usually take place using a single vulnerability. However, widespread attacks by Hafnium (rumored to be state-run) have taken advantage of four previously unknown vulnerabilities in Microsoft’s “on-premise” versions of Exchange Server.
Tens of thousands of companies are at risk in the US and internationally. Time is of the essence and action must be taken immediately to protect your data.
Short-term “Defense”: Patch, Block Ports and Change Passwords
- Reset all users’ Active Directory passwords with an Exchange mailbox.
- Disable Outlook Web Access and related public-facing ports.
- Download the Microsoft Safety Scanner (MSERT) tool and scan for potential open Web Shell connections to your Exchange Server(s) for these four zero-day vulnerabilities. If the tool reports unknown connections; BLOCK these connections, and perform a forensic investigation to confirm origin and act accordingly.
- Disable any single-factor login entry points and employ two-factor authentication with VPN. Close out all direct access to your Exchange Server.
- Monitor ingress and egress points for unusual activity; block IPs and firewall ports that show higher-than-normal traffic.
- Validate that your incident response playbooks contain both business- and IT-related measures to appropriately defend and stop an email breach.
Long-term “Offense”: Layer Your Security, Deploy DLP and Encrypt Your Data
- Employ additional services, such as Exchange Online Protection, Microsoft Defender, ProofPoint, Mimecast and other solutions to provide greater protection for targeted attacks, phishing, ransomware/malware and much more.
- Configure “conditional location-based access” policies in addition to VPN.
- Configure your CASB and SIEM solutions with the appropriate controls to block and disable risky and potentially compromised accounts.
- Ensure your DLP solutions are configured to block critical data from being stolen and or mistakenly exfiltrated by employees.
- Encrypt your data using Azure Information Protection. In the event of a worse-case scenario where your data is stolen, it’s worthless to the attacker if properly encrypted.
