On March 3rd, Microsoft published a set of emergency updates for all supported versions of Microsoft Exchange Server to patch several major 0-day security vulnerabilities which were, and still are, being actively exploited. Today we're providing a crash course on what these attacks are, where they're from and how to find if you've been affected, and how to protect yourself against them.
What is going on?
On March 2nd, Microsoft announced they had discovered four different vulnerabilities in their Exchange Server software. These exploits were announced to have been actively been exploited by a group called HAFNIUM for some time (Initial reports were since February however recent reports are now going back as far as early January). Currently, any internet-facing Exchange server may have been affected.
What is HAFNIUM?
Hafnium is the Microsoft dubbed name for a state-sponsored actor from China. This actor has been targeting US-based businesses of all sizes for information exfiltration from a wide variety of industries including infectious disease researchers, law firms, accounting and financial firms, education institutions, defense contractors, policy think tanks and NGOs.
What are the vulnerabilities?
The technical documentation for each exploit can be found here: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.
When used in conjunction, these vulnerabilities can allow for full takeover of the Exchange Server and allows the attackers to "set up shop" and potentially exfil data and target additional areas of the network.
How do I know if I've been affected?
Currently, the only way to know if your Exchange Server has been affected is to scan the server logs for signs of illicit activity. Microsoft has provided details on what to check for in which logs.
Unfortunately, even if you don't see anything in the log files doesn't mean you haven't been affected. Depending on how long your log files are kept or rolled over, the attacks may have been exploited prior to your log file. Due to the extensive timeframe and reach of these exploits, if your log files do not go back through December 2020, it is advisable to operating under the assumption you have been breached.
What do I do from here?
Most businesses will fall into one of three categories:
- You don't use Exchange Server for email. If you are using any non-Exchange Server system for email you fortunately have nothing to worry about. Examples include organizations using Office 365, Google Gsuite and Open Exchange. Again, if you are using one of these services for email/calendar/etc you are in the clear. If you are using an ISP or third-party hosted email solution, you may want to check with them to determine what systems they are using to find out if you're vulnerable.
- If you do use Exchange Server and can verify you have not been breached, you should update your Exchange Server with the latest updates as soon as possible. On March 3rd, Microsoft released fixes for all four vulnerabilities for all supported versions of Exchange Server. Getting these patches installed quickly will help keep you from any further exposure to the current on-going attacks. It may also be a good time to discuss moving your email to a cloud service like Office 365 or Gsuite.
- If you use Exchange Server and can either confirm you've been breached or cannot confidently deny you've been breached, you should begin executing your incident response plan. Depending on your industry and level of preparedness this may be as simple as contacting your IT provider or insurance company. Microsoft has also published an article with a set of tools and information for discovering if you've been breached and remediating the problem if you have. If you're not sure where to start, feel free to reach out and we'd be happy to assist you in finding the right path forward.
Vulnerabilities on the rise
As evidenced by this recent attack, as well as the prior Solarwinds debacle from a few months ago, state-sponsored threats are on the rise. No longer are attackers just random grifters looking for a quick payday. With actual nations beginning to participate in much larger-scale attacks, businesses of all sizes need to be taking security and incident response very seriously.