Cybersecurity experts have been working around the clock this month to combat a massive coordinated hack linked to “Hafnium,” the Chinese state-sponsored hacking group. The hacks exploit four “zero-day” vulnerabilities present in Microsoft Exchange servers, allowing the cybercriminals to gain access to on-premise servers and implement a remote takeover.
Businesses, organizations, and IT administrators should not only be aware of the Hafnium attack but practice due diligence by analyzing their IT servers. In this article, we’ll provide some more background about this threat, discuss Microsoft’s response, and identify what security measures companies might take.
What Is a Zero-Day Exploit?
A zero-day vulnerability is a flaw within a system that hasn’t yet been discovered by developers, leaving the door open for massively destructive exploits. A zero-day attack happens once that software or hardware vulnerability is exploited to release malware, before developers have patched the flaw.
Threat actors spot the vulnerability, write exploit code, and implement the code while the vulnerability is still available. Discovery of the hack eventually follows when either the users recognize it in the form of identity or information theft, or the developer catches it, creates a patch, and notifies users that they have blocked further access by bad actors.
Once a patch is written and provided for users, the exploit is no longer called a zero-day exploit. Unfortunately, it often takes developers months or years to uncover the exact vulnerability that led to the attack.
Who Does Hafnium Target?
The Chinese state-sponsored advanced persistent threat (APT) group “Hafnium” primarily targets entities in the United States across a number of industry sectors. Their main targets include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations (NGOs).
Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers using legitimate open-source frameworks, like Covenant, for command and control. Once they gain access to a victim network, Hafnium typically exfiltrates data to file sharing sites like MEGA, a New Zealand-based alternative to the Dutch service WeTransfer. WeTransfer was also a victim of email-related hacking in 2019.
A Hack Even Larger than SolarWinds
While Hafnium has been linked to the first zero-day exploit, Slovakian security firm ESET published findings this month that up to 10 different groups were involved in the coordinated global attack. By the time Microsoft had sounded alarms and issued the first patch for the exploits, at least three other groups linked to international cyber espionage had taken advantage of the vulnerability. After Microsoft published the patch, different hacking groups continued to exploit the vulnerability in organizations that had not yet installed the patch. Among the 10 groups responsible are Chinese-state-sponsored LuckyMouse, Tick, Winnti Group, and Calypso.
While the SolarWinds attack targeted mainly large institutional and governmental bodies, the Hafnium exploit took aim at those least equipped to respond to it: small and medium-sized business owners, community organizations, and nonprofits. These types of organizations are less likely to have full-time IT security experts on staff, usually run with on-premise servers, and may be less vigilant in installing updates regularly. Larger enterprises and Fortune 500 companies are less vulnerable to breaches because they tend to have cybersecurity experts on staff. Many have also migrated their servers to Microsoft Exchange Online.
IT industry experts have been weighing in. Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), tweeted last week, “This is a crazy huge hack.” David Kennedy, CEO of cybersecurity firm TrustedSec, added, “SolarWinds was bad. But the mass hacking going on here is literally the largest hack I’ve seen in my 15 years. In this specific case, there was zero rhyme or reason for who [attackers] were hacking. It was literally hack everybody you can in this short time window and cause as much pandemonium and mayhem as possible.”
Microsoft Responds to the Hafnium Attack
Microsoft has urged IT administrators and customers to apply security fixes immediately. The company published a script on GitHub for IT administrators which includes indicators of compromise (IoCs) linked to the four vulnerabilities. IoCs are listed separately Microsoft’s blog.
The exploits are specific to the on-premise Exchange servers 2013, 2016, and 2019, and Microsoft also released patches for Exchange server 2010, which is being updated for “defense-in-depth purposes.” Exchange Online is not affected, Microsoft notes.
Following the GitHub script and patches for all versions of Exchange, Microsoft released a mitigation tool for on-premise servers. With it, they included an automatic push to systems running Microsoft Defender for Endpoint Antivirus. For commercial clients using on-premise Exchange servers, Microsoft is also offering a 90-day free trial of Defender for Endpoint.
By March 22, Microsoft said that patches or mitigations had been applied to 92% of internet-facing, on-premise Exchange servers.
For users of Exchange Server 2019, 2016, 2013 and 2010, the patches require having the latest cumulative updates installed before applying the new zero-day fixes. For servers that do not have the latest cumulative updates installed, IT pros will have to download them from the Microsoft Download Center—they are not arriving automatically via the Microsoft Update service.
The patches from the Microsoft Download Center are thought to be only a temporary measure to quickly patch Exchange Server implementations. IT professionals still need to keep Exchange Server current with the latest cumulative updates.
What Now for IT Administrators?
Even if your organization has applied the security patches, there is no guarantee your systems were not accessed or backdoored during the exploit. Experts are advising IT teams to analyze activity on servers going as far back as September 1, 2020. While these types of attacks are not new or unique to Microsoft, the sheer expanse of servers affected is what makes this massive attack noteworthily devastating.
Cybersecurity firms say they have begun to observe hackers stealing passwords from networks and installing cryptocurrency mining malware on servers. Meanwhile, Microsoft reported they have detected the first signs of a new kind of ransomware related to the attacks. Experts cite major concerns over China selling off the accounts breached and stolen in the Hafnium breach, giving more bad actors the key to your data.
Given both the severity and scope of the Hafnium attack, your business should not wait to implement proactive measures. If you have any questions or need further clarity, contact Windows Media Experts today for help installing critical patches, migrating your on-premise Exchange servers to Exchange Online, or analyzing your server activity for a breach.