On March 2, 2021, Microsoft reported that a Chinese based, state-sponsored sophisticated attack group which they are calling “Hafnium” hacked the Exchange Server using previously unknown exploits. Microsoft states that Hafnium is a highly skilled and sophisticated bad actor which uses three steps in their attacks.
In their March 2, 2021 report, Microsoft released the steps in which Hafnium uses. They first gain access to an Exchange Server with either stolen passwords or previously undiscovered vulnerabilities, disguising themselves as someone who should have access. Second, they create a web shell to remotely control the server that has been compromised. And lastly, they steal data from an organization using that remote server, which is run from a U.S. based private server.
Immediately, Microsoft released emergency security updates to patch the security holes Hafnium exploited in Exchange versions 2016-2019 to all its users. Since the release of the updates, Hafnium has severely amped up their espionage attacks on any vulnerable, unpatched versions of the Exchange Server.
Steven Adair, President of Volexity (who identified this activity back in January 2021) states that even though Microsoft released these patches, it does not nullify a web shell which has already been placed on a user’s server; therefore, allowing the bad actors to sneak back in. According to Adair “There were a significant number of organizations that are safe from new exploitation but not safe from a ticking time bomb that was left behind.”
The White House, the NSA, the Pentagon, and the Department of Homeland Security have since become involved in addressing this compromise. U.S. officials are concerned that the bad actors may use this gained access to infect colossal amounts of government agencies and businesses with ransomware. Initiated by the National Security Council, the White House is moving to assemble a UCG (Unified Coordination Group) to address this global situation. It has been estimated that the affected numbers of this Microsoft Exchange Server attack are near 30,000. Microsoft continues working with government agencies to provide mitigation for its customers. CISA has issued an emergency directive “requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks”.
The United States Cybersecurity Magazine and its staff will continue to release updates as they become available on the Exchange Server hack.