April 1, 2021
Four zero-day vulnerabilities were discovered by Microsoft on its Exchange Server product early January and were exploited by the Chinese threat group named “Hafnium”.
A zero-day vulnerability is a security flaw that is known to the vendor but does not have a patch or update to fix the issue. Exploits occur before or on the same day a vulnerability is discovered in the software. At that point in time, a fix for the vulnerability is not available leaving the software open to exploits.
On March 2nd, Microsoft released an emergency security update to patch the vulnerabilities on its Exchange Servers. Microsoft Exchange Servers are Microsoft’s email, calendar and collaboration tool (like Gmail Apps). They can be cloud-based through “Microsoft Exchange Online”(not affected) or the software can be hosted internally by a business. Many smaller companies or institutions will rely on Microsoft Exchange servers without updating their existing software and server setup. These companies typically have a smaller budget to maintain their servers in-house or outsource to local IT specialists who are not cybersecurity experts and will only update on an as needed basis.
Days after the patch release, the hacking group increased their attacks to any unpatched exchange servers worldwide. The amount of Exchange Servers compromised was determined by how quickly each vulnerable business was able to make the necessary updates. Each day, the number of victims increased.In each hack, attackers left behind a password-protected hacking tool called a “web shell”. Web shells give attackers backdoor functionality or administrative rights over a victim’s computer servers and can be accessed anytime over the internet via web browser.
On March 5, Brian Krebs broke the news that an estimated 30,000 organizations within the US and hundreds of thousands worldwide have been affected by the hack and have back doors installed. About a week ago, Microsoft stated that 92% of vulnerable internet-facing Exchange servers had been patched or mitigated from the threat.
Microsoft has given warning over possible follow-up attacks on already compromised servers with back doors installed, as “patching a system does not necessarily remove access of the attacker”.
Secondary action is required in the event that systems have been compromised. Microsoft recommends Exchange Server admins to practice the “principle of least privilege” to mitigate any threat on the network.Microsoft expects that “Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions".
To help customers who cannot update quickly, Microsoft released a one-click tool that will help mitigate vulnerabilities and check servers for known attacks. They also built this into its Defender Antivirus tool to make it easier to scan for threats. In its security blog, Microsoft details several known Exchange Server attacks and how to mitigate any post-exploitation activities. To learn more about each known exploit visit their blog here.