Microsoft identified a pattern of zero-day exploits being used by a group of malicious actors, now known as HAFNIUM, to attack on-premises Microsoft Exchange Servers. While HAFNIUM has been known as a state-sponsored threat actor operating out of China to target entities in the United States for exfiltrating information about industries, infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, it operates using leased virtual private servers (VPS) in the United States. In this blog, we will elaborate on HAFNIUM and zero-day exploits, and how to protect against them.
How Does the HAFNIUM Zero-Day Exploit Work?
The sophisticated attack on on-premises Exchange Server happens in three steps.
- The actor gains access to on-premises Exchange Servers either using stolen passwords or by exploiting vulnerabilities that had not yet been discovered, and disguises as someone who has legitimate access.
- They then create a web shell to remotely control the compromised server.
- Finally, they use remote access from a U.S-based private server to steal data from organizations whose Exchange Servers have been compromised.
How to Determine If Exchange Server Is Compromised by HAFNIUM?
Microsoft has shared several resources, including indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate if their systems have been compromised by the HAFNIUM attack and implement proactive detections. Here are some methods to check if on-premises Exchange Servers have been compromised.
- Run the script provided by the Microsoft Exchange Server team to get an inventory of the patch-level status of on-premises Exchange servers.
- Scan the Exchange log files for HAFNIUM indicators of compromise (IOC) for addressing address performance and memory issues.
- Check for suspicious web shell hashes, paths, or file extensions.
What to Do After HAFNIUM Zero-Day Exploits?
Here are the immediate steps to be taken after the HAFNIUM zero-day exploits.
- Take inventory of the on-premises Exchange Servers and apply the out-of-band updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, and CVE-2021-26858.
- Scan the Exchange Server even if the patches have been applied, as the vulnerabilities could have been exploited as early as January 2021.
- Monitor activity in Exchange Servers and endpoints. Post-exploit activities, such as the launching of PowerShell from web server applications, could mean that further steps are necessary.
Datum Consulting Can Help Fix HAFNIUM Zero-Day Vulnerabilities
If your organization is using Exchange Server and needs assistance with investigation and patching for the HAFNIUM zero-day exploit we are available via phone or fill out the form below and we will provide you our consulting services. Additionally, we can even provide fully managed Exchange Server hosting services, or help you migrate to the always-updated Exchange Online service in the appropriate Microsoft 365 plan for better protection against such attacks in the future.