The Microsoft Exchange Servers Hack

What You Should Know, What You Should Do

On March 2, 2021, Microsoft announced that certain Exchange Servers supporting the software giant’s popular email services had been hacked. The most recent update was posted on March 8th on the Microsoft security blog.

According to Microsoft’s Corporate Vice President of Customer Security, Tom Burt, this hack is the work of a state-sponsored hacker, dubbed Hafnium.

“Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor,” said Burt.

Hafnium historically has targeted entities in the United States in order to steal strategic data from a variety of industries.

“While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers in the U.S.,” he added.

Now, Hafnium has targeted on-premises Exchange Servers using exploits that were previously unknown. An independent cybersecurity firm based in Northern Virginia assisted Microsoft in identifying the Exchange Server software vulnerabilities being exploited by the hackers.

These Products are Affected

Four vulnerabilities in Exchange Server versions 2013, 2016, and 2019 were discovered and exploited by hackers, according to Microsoft.  Exchange Servers support the company’s widely-used email and calendar services.

Microsoft lists the vulnerabilities as CVE-2021-26855, 26857, 26858, and 27065.

Cloud-based services such as Exchange Online and Microsoft 365, formerly Office 365, were not affected.

In addition, because Exchange Servers are almost exclusively used by business and commercial customers, Hafnium’s targets appear to be confined to organizations and government agencies. Individual consumers do not seem to have been affected.

The greatest impact of this breach could be on smaller businesses who have a vulnerable Exchange email server that’s exposed directly to the Internet, without benefit of the safeguards employed by enterprises and other large organizations or agencies.

Remediation Tasks to do Immediately

Soon after the March 2 announcement, Microsoft released software updates that address the four vulnerabilities in its software. There are several activities strongly recommended as part of remediation, as follows:

1. 1. Block Access. As an interim step, organizations are urged to block access to their vulnerable Exchange servers until those servers are patched. It is especially important to block access from untrusted networks.
   2. Update Software. Organizations who use any of the affected MS products are urged to install the software patches immediately. (The company is also updating Exchange Server 2010 for defense-in-depth purposes.)
   3. Sweep Systems. Although patches can plug the vulnerabilities, they cannot remove hackers already in a system. For this reason, Microsoft urges organizations to conduct thorough sweeps of their systems, scanning for evidence of hacker infiltration or persistent activity, including webshells and backdoors they may have left behind in the system.

According to several sources, roughly 250,000 Exchange servers are visible online through various scanning tools.

As of March 10, only half of these privately-hosted servers had been updated with the security patches.

Time is vital in this remediation initiative, because the longer a server remains unpatched the greater the number of hackers can access and exploit the server. In fact, this has already happened.

In their March 8 security blog update, Microsoft reiterated that more than one bad actor (in addition to Hafnium) had stepped in quickly to take advantage of vulnerable servers, barraging some customers with multiple cyberattacks.

This Additional Help is Available

To help companies investigate those additional attacks, in cases where security patches and remediation tools are not yet deployed, Microsoft released a “feed of observed indicators of compromise (IOCs),” which is available at links provided in the security blog update.

For organizations who use the affected Exchange servers but lack the internal resources to perform the recommended investigations, scans, and tests, reliable third-party assistance is available.

Many highly experienced cybersecurity firms offer these services, from scans and cyber forensics to remediation assistance and more.

Be sure to verify the incident management experience and cybersecurity credentials of any firm you select and also ask for client references. Do your homework to make sure you engage an experienced, professional firm to help you thoroughly update your security safeguards.

Hafnium’s Goal in This Hack

While none but the hackers can know for certain, two distinct prizes appear to have driven this most recent blockbuster hack.

1. Email Access. Access to the targeted Exchange email servers enables hackers to steal the email directories and address books of key executives or strategic personnel within a targeted organization. They can then spoof email messages that appear legitimate but contain malicious links that would further compromise the network and emails of targeted organizations. This email spoofing appears to have been committed quickly in at least one documented case.
2. Network Access. Access to an organization’s network, through the servers, enables hackers to install malware in the network that can be leveraged to steal data and hold it for ransom. In addition, malware can be installed within the email system to allow continuing compromise of email inboxes and email addresses.

The Cybersecurity and Infrastructure Security Agency (CISA), an agency of the U. S. government, warned that this kind of malicious activity could allow hackers to obtain control of an entire network—unless appropriate remedial actions are taken immediately. Early on, CISA urged agencies to apply the patches or disconnect Microsoft Exchange from their networks.

Microsoft has noted that the Hafnium exploits are not connected to the separate SolarWinds-related attacks that began in March of 2020, seeing “no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”

How Hafnium Worked It

According to Microsoft, these attacks by China-based Hafnium encompassed three basic actions, as follows:

1. Access. Hafnium gained access to an Exchange Server, either by using stolen passwords or by exploiting previously undiscovered vulnerabilities, to disguise itself as someone who should have access.
2. Control. Then Hafnium created a tool, known as a webshell, that enabled it to remotely control the compromised server.
3. Theft. Finally, Hafnium leveraged its remote access – run from its web of virtual private servers in the United States – to steal data from the targeted organization’s network.

We’ve heard from China many times before. That’s because China occupies a dominant first place among the world’s cyberattacks, being responsible for more than 40% of all exploits. Their most frequent targets are the United States and its allies.

The U.S. itself occupies a distant second place, responsible for just 10% of all cyberattacks. One of the largest hacker groups based in the U.S. is known as Anonymous.

Essentially tied for third place, Turkey and Russia generate 4.7% and 4.3% of all cyberattacks, respectively. Russia is commonly thought to be behind the SolarWinds breach last year.

In a recent post entitled “A Digital Strategy to Defend the Nation” the President of Microsoft, Brad Smith, emphasized the importance of preparing for more sophisticated cyberattacks from nation states.

In part, he wrote, “The recent SolarWinds cyberattack on the tech sector’s supply chain was a wake-up call. And just last week in Texas, nature demonstrated the vulnerability of our power grid. Yet, since 2014, Russian agencies have intruded into the U.S. electrical grid, and we shouldn’t assume they were alone or had benign intent.

“This means we must prepare for more sophisticated foreign attacks. We need to strengthen our software and hardware supply chains and modernize IT infrastructure. We must also promote broader sharing of threat intelligence, including for real-time responses during cyber incidents.”

No one can argue with any of these statements. The question is, will we take effective, meaningful actions soon enough?

Summary

The hits just keep on coming. The latest blockbuster breach, announced by Microsoft on March 2, 2021, affects commercial customers using on-premises Microsoft Exchange Servers for their email services.

China is believed to be behind this attack—specifically a hacker group dubbed Hafnium. Microsoft moved quickly in identifying four vulnerabilities and releasing software updates to patch them. In addition to urging immediate patch installation, Microsoft advised all affected businesses and agencies to check their systems for embedded malware and evidence of lingering hackers and persistent threats.

The thoroughness and speed of remediation is vital. Exchange Server customers who lack the internal resources to perform the prescribed system checks are urged to take advantage of third-party assistance from experienced and credentialed cybersecurity professionals.