On March 5, Krebs on Security reported that the Microsoft Exchange servers of at least 30,000 U.S. organizations, and hundreds of thousands globally, had been hacked. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign "with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures." The US Cybersecurity & Infrastructure Agency (CISA) issued an Emergency Directive for Federal Civilian Branch Agencies and a general document for Remediating Microsoft Exchange Vulnerabilities.
As with the 2020 SolarWinds attack attributed to Russia, this attack is causing major impacts and disruptions and is burdening cybersecurity teams around the globe. The 0-day attack used by HAFNIUM exploited a vulnerability in all Exchange server versions, except Office365 and Microsoft Azure instances. Targeting the unified messaging function of Exchange's code, the attack allows remote code execution with System permissions on unpatched systems, which HAFNIUM exploited to install web shells for persistent access to the systems.
The attack was detected and reported in early January, and Microsoft released an emergency patch on March 2. Initially HAFNIUM targeted a modest number of customers in typical reconnaissance fashion; however, in late February the attackers turned to indiscriminately scanning for and infecting Exchange servers as they found them. Therefore, many systems that applied the emergency patch were already compromised and required remediation.
Why It Matters
Though we all take it for granted, email is an application that tends to hold particularly sensitive data – from business strategies to customer data and everything in between. As NetWitness Field CTO Ben Smith told TechNewsWorld, Intellectual property and information about individuals associated with the targeted organization are two broad categories of very sensitive data found in email."
The installation of web shells with Administrator rights opens additional avenues for compromise. Typical tactics, techniques and procedures (TTPs) for such attackers include attempts at credential harvesting and lateral movement to other systems – attackers can use this exploit to find others and do additional damage.
The NetWitness team quickly published guidance on detecting and remediating the web shells. Our Incident Response (IR) teams are working with customers to remediate infections and evaluate any additional impacts from the attack.
What to Do Next
Attackers continuously grow in sophistication and impact, especially state-sponsored attackers like HAFNIUM. The simple fact is that it's no longer practical to assume all attacks can be prevented. Therefore organizations need to increase their foundational cybersecurity capabilities with modern, comprehensive threat detection and response tools like NetWitness before a breach occurs. NetWitness Incident Response (IR) teams – elite, cyber-first responders who act quickly and decisively to identify and expel attackers – can help organizations recover from state-sponsored, coordinated attacks. See one of the four packaged retainer offerings to gain priority access to the NetWitness IR team.
As a leading member of the cybersecurity community, NetWitness stands with our industry colleagues and global customers, and shares the goal of inhibiting and defeating attackers like HAFNIUM. We'll continue to monitor and respond to attackers of all types and share knowledge with others.