On March 2nd Microsoft announced 4 previously unknown zero-day vulnerabilities in all current versions of Exchange server along with patches to fix these vulnerabilities (MS Blog). They also announced a group dubbed “Hafnium” had been detected exploiting these vulnerabilities to access credentials used on the affected Exchange server and install secondary entry points for access in the event the vulnerability was patched. FireEye’s Mandiant security services identified anomalous behavior relating to these exploits as far back as early January (Mandiant Blog). Once the patches for these vulnerabilities were released, several security organizations noticed an uptick in Hafnium’s activity (likely to compromise more systems before organizations could apply the patches). Many estimates now sit at over 100,000 affected organizations worldwide and climbing.
What does this mean?
Any Exchange server accessible via HTTPS has a moderate chance of having exposed all user and administrative AD credentials and may be acting as an entry point to utilize those credentials within the network.
What Should Be Done?
- Any Exchange servers should be patched immediately – Microsoft Instructions for Patching
- Systems should be inspected for any indicators of compromise (IOCs)
- Microsoft has a script that will examine Exchange logs for malicious requests – Microsoft GitHub
- Microsoft’s free safety scanner has been updated to look for common webshells injected by Hafnium – Microsoft Safety Scanner
- Many other security tools have been updated to look for evidence of compromise and help prevent further spread, make sure your tools are up to date and any alerts are being investigated.
- Reset all account passwords including user, administrator, and service accounts
- This should be considered essential if any IOCs are present, but is recommended for at least administrative accounts in any environment with an Exchange server accessible via HTTPS
- If an Exchange server has been compromised it is currently very difficult to determine if all threats have been adequately removed due to the variable nature of this group’s methods. It would be prudent to isolate any compromised exchange server from other network systems and limit its inbound and outbound connectivity to essential IPs only. In many environments migrating data to a clean Exchange instance may be the safest and most expedient method to remove the threat.
Does this impact Exchange Online/O365?No, Microsoft has stated that the Exchange online codebase was not impacted by these vulnerabilities. However, any organization with a “Hybrid” Exchange server with HTTPS open to the internet (not limited to Microsoft Ips) could still be affected.
If the patch is applied are the servers considered safe?No, additional exploits may have been loaded on a server prior to patching. Any exposed server should be inspected for Indicators of Compromise.
If the tools above show no IOCs, can the server be considered safe after patching?Maybe, Given the access level granted by these vulnerabilities it is possible the attacker removed traces of the attack. This would generally require a more dedicated effort on the attacker’s part and is unlikely outside of high-value targets. Continued monitoring for suspicious network activity is recommended even if no IOCs are found and servers are patched.
Where can more information be found about combating this threat?CompuNet can help with many questions around both the security response and Exchange maintenance required to combat this threat. Many of our partners in the security space also have detailed blogs on the subject: