On March 2nd 2021, tech giant Microsoft announced that they had uncovered major vulnerabilities in their popular mail server Microsoft Exchange. In a later statement, Microsoft announced that a Chinese-backed group known as Hafnium had begun exploiting these vulnerabilities which lead to an immediate response from Microsoft to warn all Exchange users. Shortly after this announcement, Microsoft released a patch for Exchange versions 2010, 2013, 2016, and 2019 effectively remedying these vulnerabilities in the update. With Microsoft Exchange being used across the world, it is believed that over 250,000 different organizations were affected by this hack. In the past, Hafnium has targeted U.S based institutions such as defense contractors, think tanks, and NGO’s. Currently, the motives of Hafnium are still unknown, but experts believe that this is only the beginning of a massive security breach across numerous companies.
How Did we Get Here?
Microsoft was made aware of four zero-day vulnerabilities in their widely used mail service, Exchange, in early January 2021 by an incident response company known as Volexity. Volexity detailed that numerous threat actors had begun exploiting these vulnerabilities across Exchange to gain access to information and data from a litany of companies. This information comes after Microsoft was warned by The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) that hackers were targeting a critical vulnerability found in Exchange in April of last year.
The four zero-day vulnerabilities known together as ProxyLogon, target on-premise Exchange Servers through version years 2013, 2016, and 2019. However, Microsoft stated Exchange Online and Office 365 are not affected by these vulnerabilities. The first of these vulnerabilities is a server-side request forgery or SSRF for short. This vulnerability could allow an unauthenticated remote actor to send a specially crafted HTTP request to a vulnerable Exchange server to harvest the contents of users’ mailboxes. Another vulnerability that is being exploited is an insecure deserialization vulnerability. If paired with another vulnerability or an employee’s credential, an outside threat-actor could gain access to code within Exchange that can provide system level access. The final two vulnerabilities are both post-authentication arbitrary file write vulnerabilities. If an attacker was able to first gain authentication into the Exchange server, they could then write to any files on the vulnerable server. If left unpatched, these vulnerabilities can lead to a hacker being able to create a web shell to hijack the system and execute commands remotely.
What does this mean?
This hack has exposed numerous vulnerabilities across Microsoft’s Exchange email server. While the initial breach was conducted by a Chinese state-sponsored group known as Hafnium, other groups have begun to join in the frenzy. Experts believe that up to ten other hacker groups have started to exploit these vulnerabilities to on-premise Exchange servers across the globe. While Microsoft has yet to release what they believe was the goal of this hack, it is clear these attackers were looking to gain system wide access and harvest key user account information. This information includes emails, address books, and other account specific data housed on the Exchange servers.
What is the solution?
No matter how safe an organization thinks they are, emerging threat actors are continuously looking for new ways to exploit any vulnerability in systems, people, and processes. Companies and government organizations, if they have not done so already, need to move cybersecurity to the absolute forefront of their strategic planning in 2021.
For any organization directly affected by this attack or that uses an on-premise version of Exchange, immediately apply the security fixes that Microsoft has released. Microsoft has also released the Microsoft Exchange On-Premises Mitigation Tool that was designed to assist consumers that may not have the proper IT infrastructure or staffing to help with damage control from this breach. Following the initial patch, contact your managed serviced provider or IT department to determine what information may have compromise across your systems.
While there was no warning of this attack for most companies, businesses can look to better secure their networks through round-the-clock network monitoring, network segmentation, routine assessments, and proper evaluations of third-party software. Effective network segmentation would make sure that even if a threat actor was able to gain access to your systems, there would be security measures in place to make sure they weren’t able to get past their initial entry point.
As always, a culture centered around basic cyber hygiene can go a long way towards containing future attacks and mitigating the damage caused by them. Make sure to use strong, unique passwords for every account and never duplicate passwords. This way, if employee credentials are stolen, they don’t unlock more access to multiple sites. Also be mindful of what you click on when scrolling through emails or the internet. In many cases, the first point of attack is through an email or attachment. If you think something looks suspicious, immediately report it to your network administrator or IT staff. Cybersecurity starts at the ground level. Organizations need to prioritize cybersecurity training for all employees to teach better cyber habits and secure their networks.
Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact