At least 30,000 organizations in the U.S. have been hacked by a Chinese cyber espionage unit, known as "Hafnium." The group is targeting and exploiting security vulnerabilities in Microsoft Exchange Server email software. 

Last week, Microsoft released emergency security updates to fix the vulnerabilities and announced the group operates from China with the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. 

According to KrebsOnSecurity, security experts say Hafnium has dramatically increased their attacks on any vulnerable, unpatched Exchange servers worldwide, leaving behind a "web shell," - a malicious script that provides an attacker with a convenient way to launch attacks using a compromised web server. 

Two cybersecurity experts told KrebsOnSecurity the group has taken hold of "hundreds of thousand" of Microsoft Exchange Servers worldwide. 

Mat Gangwer, senior director, Sophos Managed Threat Response, explains, “These vulnerabilities are significant and need to be taken seriously. They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk. Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells. This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present. 

Gangwer says, "Organizations running an on-premises Exchange server should assume they are impacted, and first and foremost patch their Exchange devices and confirm the updates have been successful. However, simply applying patches won’t remove artifacts from your network that pre-date the patch. Organizations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralize the attack and remove the adversary from their networks. Organizations should review the server logs for signs that an attacker may have exploited their Exchange server. Many of the current known indicators of compromise are web shell-based, so there will be file remnants left in the Exchange server. An overview of files and any modifications to them is therefore important. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution."

Gangwer explains that "if you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next. You need to understand how long or impactful this activity may have been. What is the gap between appearance of the web shell or other artifacts in your network and the moment of patching or discovery? This is often a good time to ask for external support if you’re not sure what to do. Third-party forensic and incident response can be vital at this stage, providing experienced threat hunting and human intelligence that can dive deep into your network and find the attackers."

Oliver Tavakoli, CTO at Vectra explains "the hack involved the combined exploitation of multiple 0-day vulnerabilities, starting with an OWA SSRF vulnerability and then proceeding to the exploitation of other vulnerability to burrow deeper into the inner workings of the server. Patching their Exchange servers will prevent an attack if their Exchange server has not already been compromised. But it will not undo the foothold attackers have on already compromised Exchange server. Microsoft has published a technical blog on how to recognize signs that an Exchange Server is already compromised. Remediation will not be simple – it will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets and restoring the remaining backup data.

Tavakoli says, "Complex software which has been around for a long time (Exchange and OWA certainly qualify in this regard) will almost invariably contain flaws which given sufficient motivation, resources and skill will be discovered and exploited. The key to resilience in these cases is to have the capability to detect downstream activity necessary to capitalize on the foothold gained – the good news is that this activity (e.g. the use of a reverse shell, the abuse of PowerShell, etc.) almost always follows more standard tradecraft which can be detected by Network Detection and Response products."

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), says, “This attack chain, and the vulnerabilities exploited in it, are strong indicators about the originator of the Hafnium attack, as a substantial amount of time and resource is needed to fully develop such an attack method. The vulnerabilities used in this chain can be mitigated individually, the full potential lies in the coordination displayed. Server-side forging request vulnerabilities, the one used to start the attack chain are discovered regularly in various software products and documents one more time that software is never 100% secure, it is just that the vulnerabilities haven’t been found yet and are therefore ‘unknowns’. The attack targets on-prem installation of Microsoft Exchange, and using OWA as an external interface is a clear indicator that the initial attack vector, port 443 is open to the public. An organization trying to verify whether they have been compromised already or trying to limit their exposure to future zero days should employ the essential controls recommended by CIS, at least Secure Configuration Management to harden the infrastructure limiting additional exposures and privilege escalations and Integrity Monitoring to control changes happening to the infrastructure which will help identify any foothold established.”

Michael Isbitski, Technical Evangelist at Salt Security, says the hack seems like it's web-born for the initial attack vector. "I suspect this will impact a lot of organizations that are still operating their own mail infrastructure rather than using a SaaS like Office365. An attacker can potentially submit an unauthenticated HTTP request to someone's on-prem Exchange servers by overloading cookies, and Exchange in turn processes any submitted commands embedded in the web request within the backend. It'll go from web channel down to binary and OS level issues very quickly in the attack chain. The moral of the story is to make sure your Exchange servers are patched, or use Office365 and let Microsoft handle it. Microsoft also created a few scripts that Exchange admins can run in their environments to check whether they have been compromised. The scripts look for those crafted HTTP requests in server logs and the subsequent binary and OS commands attackers issued to maintain persistence. Microsoft also pre-generated some code for Azure (Sentinel) customers to simplify the process of checking for compromise by admin teams.”

Isbitski suggests some useful resources include: https://github.com/microsoft/CSS-Exchange/tree/main/Security  and https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/