At the start of March, Threat Essentials detected increasing chatter relating to Microsoft Exchange exploits, indicating actors were looking for or sharing information on brute force attacks, web shells, and post-exploitation tasks. We also noted within the 12 months prior, there were expressions of interest on multiple sites about scoping Microsoft Exchange servers for attack and discussion about other vulnerabilities in the servers.
Who is the Hafnium Group?
Hafnium is a group of state-backed Chinese hackers, according to Microsoft. Although they are based in China, Hafnium operates primarily from leased virtual private servers (VPS) in the US. They target US organisations in several industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs. Upon accessing a victim network, Hafnium exfiltrates data to file sharing sites such as MEGA. Hafnium is regarded as "a highly skilled and sophisticated actor."
Hafnium group creates access for other cybercriminals
In addition to the US, attacks on Exchange servers are taking globally. The Netherlands, Czech Republic, and Norway have reported responding to ongoing Exchange intrusions. Several countries, including Australia, the United Kingdom, Germany, Romania, Austria, Sweden, Finland, Spain, New Zealand, France, Singapore, Hungary, Ireland, Canada, and Italy, have released national security alerts warning companies and government organisations to patch on-premises Exchange servers urgently. Security firms are also reporting a sharp increase in attacks targeting customer systems.
Although the initial attacks in early January were attributed to Hafnium, Proofs of Concept (PoCs) have been published on dark web forums. Other threat actors have begun using the same exploits to attack Exchange servers. Microsoft acknowledges this in its latest update, saying it "continues to see multiple actors taking advantage of unpatched systems to attack organisations with on-premises Exchange Server".
Now that the details of the exploit have been made public, many of the malicious applications deployed on Exchange servers are likely to be weaponised by opportunistic attackers for data theft and extortion. While Exchange users are racing to patch and secure their systems, malicious actors are attempting to access those systems in the time gap between the Hafnium intrusion and successful remediation.
Timeline so far
03 January: Volexity (a US-based security firm) starts to see Hafnium attack traffic.
05 January: DEVCORE (a Taiwan-based security consulting service) reports two Exchange flaws to Microsoft.
06 January: Volexity identifies attacks on the Microsoft Exchange Server vulnerabilities (Note: US Capitol riot on the same day, global focus on TV coverage of this event).
18 January: Danish security firm, Dubex, detects clients being attacked.
27 January: Dubex reports their incident response findings to Microsoft.
02 February: Volexity officially informs Microsoft about two Exchange flaws. (Microsoft credits Volexity and DEVCORE with reporting the same two Exchange flaws)
08 February: Dubex says Microsoft "escalated" their issue on Feb. 8 but never confirmed the zero-day with Dubex prior to the emergency patch plea on 2nd March.
02 March: Microsoft discloses Exchange Server vulnerabilities that hackers are exploiting in the wild and releases multiple software patches to address email server flaws. It alleges that a state-sponsored threat actor called Hafnium, which operates from China, launched the attacks against Exchange Server.
03 March: A CISA (Cybersecurity and Infrastructure Security Agency) alert tells organisations running Exchange Server to examine their systems for the TTPs (tactics, techniques and procedures and IoCs (indicators of compromise) to detect any malicious activity. If an organisation discovers exploitation activity, they should assume their network has been compromised and follow incident response procedures. If an organisation finds no activity, CISA recommends they should apply available patches immediately and implement mitigations in the alert.
04 March: The Mayor of Prague announces on Twitter that Czech public administration systems have suffered "a massive cyber attack", and impact assessment is ongoing.
05 March: Microsoft strongly recommends customers investigate their Exchange deployments to ensure they have not been compromised. Microsoft also shares a nmap script to help users discover vulnerable servers within their own infrastructure.
06 March: The Wall Street Journal reports the Exchange Server hack may have infected tens of thousands of businesses, government offices and schools in the US. One source suggests the impact could extend across 250,000 organisations.
07 March: The European Banking Authority announces its Exchange email servers have been attacked. Microsoft releases an updated script that scans Exchange log files for IoCs associated with the vulnerabilities. The White House urges computer network operators to take further steps to assess their systems, saying a recent software patch still left serious vulnerabilities. Bloomberg reports at least 60,000 Microsoft customers worldwide have been impacted by the hack.
08 March: Dutch national cybersecurity agency issues press release stating 40% of the country's Microsoft Exchange Servers are still vulnerable and encourages patching as soon as possible.
What we recommend
In addition to ensuring your servers are updated with all the necessary patches, our advice is to prepare to defend against ransomware attacks and attempts at illicit data exfiltration. Understanding the targets that threat actors are keen on attacking right now, and their current tactics of choice will be key to your proactive defence strategy. At Threat Essentials, we are always monitoring underground conversations for potential threats against our customers, empowering them to harden their defences in a cost-effective way.
To find out more about how Threat Essentials can support your cyber defences, get in touch with a Threat Essentials analyst at firstname.lastname@example.org