An Aggressive, Orchestrated, Global Attack
Government officials and the cybersecurity community are still reeling after learning the extent of the Hafnium attack that was widely reported last week. Reports estimate at least 100,000 organizations have been breached worldwide by the China-based threat group that launched the attack and at least four more groups have been identified exploiting the same vulnerabilities in Microsoft Exchange server since the original surge. The U.S. Cybersecurity & Security Agency (CISA) has already formed a task force in response to the attack, indicating the magnitude of this incident.
While informed security practitioners will have responded to this attack already, we are using this edition of the iON blog to review the steps for eliminating the vulnerability, ensuring the environment is free of any intruders, and raise topics for discussion prompted by this incident that may ultimately help reduce your organization’s exposure to similar attacks
First, a review of what we know so far…
Background
- Microsoft named the threat group responsible for the initial set of attacks “Hafnium” and reported that they have historically targeted entities in the U.S. with the goal of exfiltrating information. Targets have included defense contractors, infectious disease researchers, law firms, policy think tanks, and NGOs.
- The Hafnium group chained together four vulnerabilities in on-premises Exchange Servers running versions 2013 through 2019 to siphon emails from victim organizations.
- After most successful attacks, the intruders left behind a web shell that gave them ongoing access to the victim’s servers. In some incidents, adversaries used scheduled tasks to maintain a foothold on victim systems.
- The attack did not take place over a single day or week. Cybersecurity firm Volexity reported first seeing attackers quietly exploiting the vulnerabilities on January 6; the same day most of the world was transfixed by coverage of the riots at the U.S. capitol. Intrusions intensified on Friday, February 27 and spiked early the next week as the Hafnium group evidently responded to the release of the Microsoft patch that eliminated the vulnerabilities.
Recommended Next Steps
The first step may be obvious (and has likely been taken already at most organizations), but it must be stated: Apply the Microsoft patch to all of your Exchange Servers immediately. If possible, we recommend disconnecting the servers from your network until you complete the updates. Microsoft’s detailed steps for installing the security update are available here
If you encounter unexpected behaviours or the upgrade fails, follow the troubleshooting steps on this link:
If your organization has an internet-facing Exchange Server, especially Outlook Web Access (OWA), assume you have been breached. Initiate your organization’s Incident Response procedures and go through your plan’s list of activities for this type of incident.
Once you have patched your Exchange server(s), search for indicators of compromise (IOCs). Remember that these vulnerabilities were being exploited as far back as January 6th, meaning your organization could have been breached long before you applied the patch This is a crucially important step because removing the intruder’s path of entry does not necessarily eliminate the attacker’s presence in your environment.
Volexity and blue team have posted large lists of IOCs here:
https://blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections
As part of your search, review your logs dating back to the start of 2021 using the lists in the links above as guides. For each set of logs, we recommend searching for evidence of the following activities
Exchange Server logs
- Account creation at the local and domain level
- AV alerts
- Service creation
- Scheduled task creation
- Outbound connections to the Internet from Exchange servers (for payload download)
- Persistent connections to the Internet from Exchange servers (Command & Control activity)
- Use of PSExec of Procdump
- Web requests in IIS logs, matching the patterns described by Volexity, that could indicate an attacker interacting with a web shell
Active Directory logs
- All Domain Admin or privileged logins (noting any atypical activity)
- User creation
- Changes to privileged groups
- Removal of the domain “Administrator” account from “Exchange Organization Administrators”
Firewall logs
- Communication with IP addresses included in the published IOCs
A list of tools effective at searching for IOCs can also be found in the blueteam link above, including queries for various products such as Azure Sentinel, Splunk, Windows Defender, and more.
The lists of available tools and newly discovered IOCs are both constantly being updated, so we recommend checking for updates at regular intervals.
Lessons Learned
The Hafnium attack should prompt some important discussions at your organization. For example, what tools do you have for detecting anomalous activity on your network? Did this incident expose any deficiencies in your detection capabilities
Also, considering that entities using Microsoft 365 were not affected by this attack, you may want to re-evaluate the risk/reward of switching from on-premises mail servers to a cloud-based service. While MS 365-based email occasionally experiences outages, Microsoft can patch identified vulnerabilities immediately and their vast threat hunting resources reduces exposure to attacks of this type.
This attack also illustrates why critical systems must not be exposed directly to the Internet. Even while offering OWA services hosted on-premises to the Internet, this attack could have been prevented by using a remote access portal such as , Pulse, Citrix, and others to require clients to authenticate using multi-factor authentication prior to granting any ability to communicate with Exchange.
Finally, as troubling as the Hafnium attack is, it also serves as a prime example of why well-defined Incident Response procedures are crucial for organizations today. If your organization is unable to efficiently perform the tasks in the above links, then your IR plan and procedures need to be improved. iON can help you achieve this goal with IR Planning services that help accelerate your team’s ability to detect and remediate cyber incidents and reduce their impact.
Contact an iON Account Manager today for more details: sales@ionunited.com.
Sources and Additional Reading
iON credits the following articles as sources for this post
https://redcanary.com/blog/microsoft-exchange-attacks/#detection
This is a rapidly developing situation and we strongly recommend Network Administrators and Security Officers of organizations affected by this attack stay abreast of the latest developments.
The following links are good places to get additional detail and receive further updates:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
https://cyber.gc.ca/en/alerts/active-exploitation-microsoft-exchange-vulnerabilities
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://www.cybermongol.ca/offensive-intelligence/warning-1-hour-ago-cve-2021-26855-exchange-ssrf
https://github.com/Udyz/CVE-2021-26855-SSRF-Exchange
[1] https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
