On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security teams released a blog post that disclosed multiple 0-day exploits that were being used to attack on-premises versions of Microsoft Exchange Server. The MSTIC team attributed the campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology and Tactic, Techniques, and Procedures (TTPs). If not already addressed, we would urge you along with the Microsoft team to update on-premises systems immediately. Currently, there are no reports of Exchange Online being affected.
Who is HAFNIUM?
HAFNIUM primarily targets entities in the United States across a number of industry sectors which have included targets in legal, higher education, government, and even including infectious disease researchers, policy think tanks, and NGOs.
In the past, HAFNIUM compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, a red team framework for mapping the attack surface of .NET. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA, an end-to-end encrypted cloud storage and communication platform.
Impact Thus Far
It has been reported that nearly 30,000 organizations, and as many as 250,000 individual users have been impacted. And, while Microsoft released a patch last week to shore up flaws in its email software, the remedy still leaves open a back door that can allow access to previously compromised servers and perpetuate further attacks by others. The back channels for remote access are most likely to impact credit unions, town governments and small businesses. Microsoft has two resources for learning more and patching:
The White House is calling this an "Active Threat" and the President is apparently assembling an emergency group of government agencies as part of a "whole of government" approach.
“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said.
It is likely time to reconsider on-premise exchange if you have it
On-premises Exchange is incredibly difficult to manage and maintain from both an IT and security perspective. Exchange is usually tied integrally into a networks authentication sources and typically contains very sensitive data. Exchange has several configuration options that allow for interoperability with devices and services wanting to communicate over email (usually over insecure or basic authentications), however lacks the ability to properly secure these necessary configurations within Exchange itself and instead usually requires other security controls.
From a cybersecurity perspective on-premise Exchange is a nightmare because its complicated, tied integrally into authentication sources like Active Directory, holds very sensitive information, and typically has a large internet facing attack surface, and because of this it has several research teams solely focused on finding vulnerabilities to exploit within Exchange.
One of the best things Microsoft did with Exchange is begin hosting it within O365/Exchange Online and slowly removing support for insecure configurations. This made organizations running Exchange internally to either migrate to Exchange Online and remove the legacy systems and services that are no longer supported because it required insecure configurations, or unfortunately stick with on-premises Exchange and attempt to properly secure it themselves.
To drive the point home Microsoft themselves no longer run on-premises Exchange servers and have migrated the company to Exchange Online.
How Ordr Can Help
As most organizations have moved to the cloud or at least a hybrid model, we have found there are not many on-premises Exchange servers out there amongst our customers. However, if they are out there, Ordr will be able to detect the devices and will alert the proper workflow based on the associated the CVEs that have been issued.