Lessons Learned from the Hafnium Attack
An Aggressive, Orchestrated, Global Attack
Government officials and the cybersecurity community are still reeling after learning the extent of the Hafnium attack that was widely reported last week. Reports estimate at least 100,000 organizations have been breached worldwide by the China-based threat group that launched the attack and at least four more groups have been identified exploiting the same vulnerabilities in Microsoft Exchange server since the original surge. The U.S. Cybersecurity & Security Agency (CISA) has already formed a task force in response to the attack, indicating the magnitude of this incident.
While informed security practitioners will have responded to this attack already, we are using this edition of the iON blog to review the steps for eliminating the vulnerability, ensuring the environment is free of any intruders, and raise topics for discussion prompted by this incident that may ultimately help reduce your organization’s exposure to similar attacks
First, a review of what we know so far…
- Microsoft named the threat group responsible for the initial set of attacks “Hafnium” and reported that they have historically targeted entities in the U.S. with the goal of exfiltrating information. Targets have included defense contractors, infectious disease researchers, law firms, policy think tanks, and NGOs.
- The Hafnium group chained together four vulnerabilities in on-premises Exchange Servers running versions 2013 through 2019 to siphon emails from victim organizations.
- After most successful attacks, the intruders left behind a web shell that gave them ongoing access to the victim’s servers. In some incidents, adversaries used scheduled tasks to maintain a foothold on victim systems.
- The attack did not take place over a single day or week. Cybersecurity firm Volexity reported first seeing attackers quietly exploiting the vulnerabilities on January 6; the same day most of the world was transfixed by coverage of the riots at the U.S. capitol. Intrusions intensified on Friday, February 27 and spiked early the next week as the Hafnium group evidently responded to the release of the Microsoft patch that eliminated the vulnerabilities.
Recommended Next Steps
The first step may be obvious (and has likely been taken already at most organizations), but it must be stated: Apply the Microsoft patch to all of your Exchange Servers immediately. If possible, we recommend disconnecting the servers from your network until you complete the updates. Microsoft’s detailed steps for installing the security update are available here
If you encounter unexpected behaviours or the upgrade fails, follow the troubleshooting steps on this link:
If your organization has an internet-facing Exchange Server, especially Outlook Web Access (OWA), assume you have been breached. Initiate your organization’s Incident Response procedures and go through your plan’s list of activities for this type of incident.
Once you have patched your Exchange server(s), search for indicators of compromise (IOCs). Remember that these vulnerabilities were being exploited as far back as January 6th, meaning your organization could have been breached long before you applied the patch This is a crucially important step because removing the intruder’s path of entry does not necessarily eliminate the attacker’s presence in your environment.
Volexity and blue team have posted large lists of IOCs here:
As part of your search, review your logs dating back to the start of 2021 using the lists in the links above as guides. For each set of logs, we recommend searching for evidence of the following activities
Exchange Server logs
- Account creation at the local and domain level
- AV alerts
- Service creation
- Scheduled task creation
- Outbound connections to the Internet from Exchange servers (for payload download)
- Persistent connections to the Internet from Exchange servers (Command & Control activity)
- Use of PSExec of Procdump
- Web requests in IIS logs, matching the patterns described by Volexity, that could indicate an attacker interacting with a web shell
Active Directory logs
- All Domain Admin or privileged logins (noting any atypical activity)
- User creation
- Changes to privileged groups
- Removal of the domain “Administrator” account from “Exchange Organization Administrators”
- Communication with IP addresses included in the published IOCs
A list of tools effective at searching for IOCs can also be found in the blueteam link above, including queries for various products such as Azure Sentinel, Splunk, Windows Defender, and more.
The lists of available tools and newly discovered IOCs are both constantly being updated, so we recommend checking for updates at regular intervals.
The Hafnium attack should prompt some important discussions at your organization. For example, what tools do you have for detecting anomalous activity on your network? Did this incident expose any deficiencies in your detection capabilities
Also, considering that entities using Microsoft 365 were not affected by this attack, you may want to re-evaluate the risk/reward of switching from on-premises mail servers to a cloud-based service. While MS 365-based email occasionally experiences outages, Microsoft can patch identified vulnerabilities immediately and their vast threat hunting resources reduces exposure to attacks of this type.
This attack also illustrates why critical systems must not be exposed directly to the Internet. Even while offering OWA services hosted on-premises to the Internet, this attack could have been prevented by using a remote access portal such as , Pulse, Citrix, and others to require clients to authenticate using multi-factor authentication prior to granting any ability to communicate with Exchange.
Finally, as troubling as the Hafnium attack is, it also serves as a prime example of why well-defined Incident Response procedures are crucial for organizations today. If your organization is unable to efficiently perform the tasks in the above links, then your IR plan and procedures need to be improved. iON can help you achieve this goal with IR Planning services that help accelerate your team’s ability to detect and remediate cyber incidents and reduce their impact.
Contact an iON Account Manager today for more details: firstname.lastname@example.org.
Sources and Additional Reading
iON credits the following articles as sources for this post
This is a rapidly developing situation and we strongly recommend Network Administrators and Security Officers of organizations affected by this attack stay abreast of the latest developments.
The following links are good places to get additional detail and receive further updates:
You might also like
Employee Spotlight: Meet Kurt Pomeroy
Welcome to the first of iON’s new Employee Spotlight! Over the coming months, we’ll put the spotlight on some of the team members who make iON great. We’ll go beyond their job responsibilities and provide a glimpse of who these extraordinary individuals are that work at iON. We’ll start this series with a feature on…
How the Cloud Shared Responsibility Model Affects You
Public cloud services have changed the way many organizations operate. When you have an on-premises data centre, you own the whole stack and are responsible for securing it. However, with the proliferation of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) models, you can rest easy knowing…
iON at the Western Canada Information Security Conference
The Western Canada Information Security Conference is back on May 16-17! This year’s event will once more bring together IT Security and Audit professionals plus OEM and local vendors for two days of top-notch presentations and excellent networking opportunities. The top names in cybersecurity will be well represented at this year’s event, so if you’re…