Microsoft Exchange “Hafnium” Hack: Recommended Steps

March 10, 2021

  • On March 2, 2021 Microsoft Corporation announced that a well-organized China-based threat actor named “Hafnium” deployed targeted attacks against a number of US-based businesses currently hosting “on-premise” Exchange Servers using multiple previously-unknown zero-day vulnerabilities.
  • Time is of the essence and action must be taken immediately to protect your data.
  • We recommend the following short- and long-term steps.

 


Typical zero-day attacks usually take place using a single vulnerability. However, widespread attacks by Hafnium (rumored to be state-run) have taken advantage of four previously unknown vulnerabilities in Microsoft’s “on-premise” versions of Exchange Server.

 

Tens of thousands of companies are at risk in the US and internationally. Time is of the essence and action must be taken immediately to protect your data.

 

 

Short-term “Defense”: Patch, Block Ports and Change Passwords

  1. Now that these vulnerabilities are published to the internet, other threat actors will take advantage of this information to pursue their own campaigns, further increasing the chance of an attack on your environment. It is critical that these Microsoft patches be deployed immediately!

  2. Reset all users’ Active Directory passwords with an Exchange mailbox.

    1. Regardless of the device or user, anyone with physical and/or remote access can gain illegal access to the original user’s account using OWA or Outlook – regularly with a single click and without ID and password verification. Microsoft access tokens typically last 24 hours. This means your end users’ accounts are open to anyone with physical device access for at least a day, and even longer if they keep the session open.

    2. This type of situation can easily happen even with the most careful and security-conscious user; complex passwords are recommended.

  3. Disable Outlook Web Access and related public-facing ports.

    1. OWA is extremely vulnerable to brute-force attacks. This is where a threat actor tests log-in credentials against organizations’ OWA portal by guessing the expected passwords for a valid user account. This type of attack is built on at least 30 years of trial and error by threat actors and is the number one method used to breach every type of corporate and consumer email solution. Furthermore, this type of attack can be performed via automation scripts that allow attackers to stage simultaneous attacks against an unlimited number of users. User email addresses are typically found through LinkedIn and Facebook, as well as by purchasing verified email account lists through Google, Bing, Yahoo and other services.

  4. Download the Microsoft Safety Scanner (MSERT) tool and scan for potential open Web Shell connections to your Exchange Server(s) for these four zero-day vulnerabilities. If the tool reports unknown connections; BLOCK these connections, and perform a forensic investigation to confirm origin and act accordingly.

  5. Disable any single-factor login entry points and employ two-factor authentication with VPN. Close out all direct access to your Exchange Server.

  6. Monitor ingress and egress points for unusual activity; block IPs and firewall ports that show higher-than-normal traffic.

  7. Validate that your incident response playbooks contain both business- and IT-related measures to appropriately defend and stop an email breach.

 

 

Long-term “Offense”: Layer Your Security, Deploy DLP and Encrypt Your Data

  1. Employ additional services, such as Exchange Online Protection, Microsoft Defender, ProofPoint, Mimecast and other solutions to provide greater protection for targeted attacks, phishing, ransomware/malware and much more.

  2. Configure “conditional location-based access” policies in addition to VPN.

  3. Configure your CASB and SIEM solutions with the appropriate controls to block and disable risky and potentially compromised accounts.

  4. Ensure your DLP solutions are configured to block critical data from being stolen and or mistakenly exfiltrated by employees.

  5. Encrypt your data using Azure Information Protection. In the event of a worse-case scenario where your data is stolen, it’s worthless to the attacker if properly encrypted.

 

Monitor Microsoft and accredited news organizations. As with any open security investigation, it’s critical to monitor Microsoft and news organizations for changes in protective measures and additional risks that may have been provided to the public.

 

Our understanding of the nature and magnitude of the Hafnium attack is evolving; it’s possible the hack might prove worse than the SolarWinds attack. As a result, business and security leaders should err on the side of caution. According to Christopher Krebs, the former director of the US Cybersecurity and Infrastructure Agency, organizations using Microsoft Exchange should assume they were hacked sometime between February 26 and March 3.

 

 

What if You’re Compromised?

If you believe or have confirmed that your business has been compromised by this or any other Exchange vulnerability, please contact Optiv today at info@optiv.com. We can quickly initiate the defensive measures above and deploy additional stop-gap measures to protect your data, users and customers.

Rich Sylva
Principal Cloud Security Architect | Optiv
Rich Sylva has over 20 years’ experience securing messaging environments for major messaging platforms and has a principal focus on Microsoft Exchange. His expertise spans core industries, including Legal, Insurance, Military, Automotive, Airline and HealthCare verticals.