Written by Paul Robertson
Hundreds of thousands of worldwide organizations are newly hacked via holes in Microsoft’s email software per a Krebs on Security article posted March 5, 2021.
“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded 100,000s of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”
"This is the real deal," tweeted Christopher Krebs, the former Cybersecurity and Infrastructure Security Agency (CISA) director. "If your organization runs an [Outlook Web Access] OWA server exposed to the internet, assume compromise between 02/26-03/03."
Per a Microsoft Blog Post dated 3/2/21 and updated 3/4/21 and 3/5/21:
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
“The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.”
To aid organizations in investigating these attacks, we are sharing the following resources.
Microsoft recommends installing the necessary security patch per Microsoft Security Response Center guidance here. This method is the only complete mitigation and has no impact to functionality. This Exchange Team Blog has details on how to install the security update. This will not evict an adversary who has already compromised a server.
Patching is by far the best method to avoid compromise from this 0-day vulnerability, for that reason Mission Secure strongly encourages taking this route. However, if patching Exchange Server 2013, 2016, and 2019 is absolutely not possible, find interim mitigations per the following Microsoft Security Response Center guidance here.
Immediately copy all Microsoft Exchange Server logs offline. The Microsoft Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise.
Employee awareness of this situation is a critical step in improving your organization’s security posture. Notify employees of the current situation and to be extra vigilant and suspicious of all email communications, even those from people they know. This is especially important for those that might be deemed “high value” targets such as finance, helpdesk, engineering, executives, and those in high value or critical roles.
Notify your business ecosystem such as customers, partners, vendors, and service providers of this situation. Please share this Mission Secure Blog Post so they too are aware and taking steps to mitigate the risks.
Revisit this Blog Post for updates in the coming days.
Originally published March 6, 2021, updated March 7, 2021.