At Least 30k U.S. Orgs Affected by HAFNIUM Attack on Microsoft Exchange Servers

Threat Alert - HAFNIUM

At least 30,000 organizations in the United States have suffered a compromise as the result of a threat actor’s campaign to target vulnerabilities affecting Microsoft’s Exchange Server software.

Microsoft’s Security Advisory

On March 2, the Microsoft Threat Intelligence Center warned in a blog post of a campaign to exploit previously unknown vulnerabilities affecting Exchange Server software.

The tech giant is tracking those vulnerabilities as follows:

  • CVE-2021-26855: a server-side request forgery (SSRF) bug in Exchange that allows a malicious actor to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857: an insecure deserialization vulnerability in the Unified Messaging service that enables an attacker to run code as SYSTEM on the Exchange server once they’ve obtained admin permissions or exploited another security bug.
  • CVE-2021-26858: an arbitrary file write vulnerability in Exchange that could allow someone to write a file to any path on the server after they’ve authenticated themselves by exploiting CVE-2021-26855 or stealing a legitimate set of credentials.
  • CVE-2021-27065: a vulnerability that operates similarly to CVE-2021-26858.

Microsoft identified HAFNIUM as the primary threat actor abusing the vulnerabilities described above at the time of its security advisory.

A “highly skilled and sophisticated actor” operating out of China, HAFNIUM is known to have used leased virtual private servers (VPS) in the United States in order to target American law firms, higher education institutions, defense contractors and organizations in other sectors for the purpose of exfiltrating their sensitive data.

The Microsoft Threat Intelligence Center explained in another security bulletin that HAFNIUM begins by exploiting the vulnerabilities listed above or using a stolen set of legitimate account credentials in order to gain initial access. The threat actor then deploys web shells on the compromised server. Those web shells empower the threat actor to dump the LSASS process memory, compress stolen data into .ZIP files and ultimately exfiltrate sensitive information about an affected organization and its users.

Anyone who’s running software that’s affected by the vulnerabilities is urged to implement Microsoft’s security patches, which are available here.

Recommendations for Zix | AppRiver Customers

As a Microsoft partner, Zix | AppRiver received notification directly from Microsoft late Tuesday, March 2, 2021. We immediately started applying the necessary patches to its servers. Microsoft’s notification included a detailed list of indicators of compromise (IOC) that can be used to detect attacks against our systems. We are actively scanning our logs for any IOCs.  We are tracking this issue closely and our investigation is ongoing. 

We have also had our SIEM monitoring configured to automatically trigger a notification in the event an IOC is detected.

Customers can protect themselves against the threat activity described above by using a script created by the Microsoft Exchange Server team to run a check for HAFNIUM’s IOCs. They can access that script here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.

If you use SIEM, we recommend that you also configure your system to provide notification in the event an IOC for HAFNIUM is detected. 

Finally, you can check out Microsoft’s blog post here to quickly inventory and evaluate the general security preparedness of your on-premise Exchange servers.

The U.S. Government’s Response

Microsoft explained in its security advisory that it had also briefed U.S. government agencies about HAFNIUM’s ongoing attack campaign.

In response, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Emergency Directive 21-02. CISA noted in its alert that “this exploitation [by HAFNIUM] of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.” It subsequently ordered federal agencies running Microsoft Exchange on-premise products to either update their products using Microsoft’s patches or to disconnect their products from their networks until they could implement those fixes.

“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales, as quoted in a CISA press release. “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”

The Initial Impact

On March 5, KrebsOnSecurity shared that HAFNIUM had succeeded in compromising at least 30,000 organizations in the United, according to multiple sources.

The threat actor also hacked into tens of thousands of organizations in Europe and Asia, reported Reuters that same day.

Steven Adair, president of Volexity, told KrebsOnSecurity that the attack activity began on January 6, 2021 but increased in the weeks that followed.

“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said, as quoted by KrebsOn Security. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Reuters wrote on March 5 that Microsoft had yet to comment on the number of organizations affected by HAFNIUM’s hacking campaign.

We will continue to monitor this threat as it evolves.