Executive Summary
Microsoft recently discovered evidence of an attack campaign currently in action which leverages several previously unknown vulnerabilities with on-premises Microsoft Exchange Servers. The vulnerabilities enable access to email accounts, and allow for installation of additional malicious entities to maintain persistence within a target’s environment in order to facilitate data exfiltration and surveillance activity. Microsoft has released a security update to address each of these vulnerabilities in an out-of-band patch, which we recommend be applied immediately if you host your exchange server on-premises.
Details
The attack is being attributed to a group Microsoft has dubbed Hafnium, a Chinese state-sponsored threat actor. Industry sectors targeted by this threat actor include Government, Government-tangential, Medical and Healthcare, Law firms, and NGO’s. While the group is based in China, it utilized leased US Virtual Private Server (VPS) space in order to conduct its campaign. Each of these vulnerabilities were used in tandem as progressive entities within attack campaigns, which were employed by the attacker in order to steal data from the organization’s network.
The four vulnerabilities are as follows with links to Microsoft’s vulnerability scoring assessment for each:
Currently, very little information has been disclosed as to the nuance of each vulnerability, however, it is known that the initial attack requires the ability to make an untrusted connection to Exchange server port 443, or can be progressed if the attacker already obtained access through other methods or were able to convince an administrator to open a malicious file.
Recommendations
Apply out-of-band patches immediately in order to address these vulnerabilities. See the source info, including the linked Microsoft vulnerability information and blogs for more information. Mitigations include restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access, however, the restriction and VPN methods will only protect against the initial portion of the attack.
SOD Actions
As information is made available, the Security On-Demand Threat Recon Unit will continue to monitor your systems and provide critical updates in regards to these events. As always, our customers are our top priority, and we are currently searching for any attack indicators on your systems. If we find any indicators in your environment, we will notify you directly and immediately. Security On-Demand’s Threat Recon Unit will continue to monitor this activity and will provide any critical updates as more information is provided. Please contact us if you have any questions.
Sources
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
