The exploitation of Microsoft Exchange Server made headlines earlier this year, sending security teams scrambling to patch their servers before malicious actors had a chance to compromise their system.
According to Microsoft, they have attributed the attack to a group called Hafnium, which they describe as a being “state sponsored and operating out of China.” In their report, Microsoft explained that hackers used four different zero-day exploits in the attack, giving them the coveted remote code execution capability to get into on-premises Exchange servers and access email accounts.
The number of compromised organizations is estimated at somewhere between 30,000 to 60,000, but it is still early, despite the news of this issue being nearly a month old. We know that there are many more systems that may be vulnerable if they have not yet been patched.
Having compromised their targets with the initial attacks, the hackers left web shells behind that gave them a foothold inside their victims’ systems. This, in turn, allowed them to write to disk, dump credentials, add user accounts, steal copies of Active Directory databases and eventually move laterally to other systems in search of valuable data.
This incident came hard on the heels of the SolarWinds hack back in December 2020, marking the second time that a nation-state actor had attacked a core technology used across such a large user base.
These major hits, coming back-to-back, has been overwhelming for many in the security space, and if the scale of these compromises feels bigger than in the past, it is because they are.
Changing the Scope of Compromises
There has been a cybersecurity ‘proverb,’ of sorts, making the rounds lately; it goes something like, “Just because you do not think you are a likely target of a state actor, does not mean that they are not interested in you.” It’s like the adage, “Just because you’re paranoid doesn’t mean they’re not out to get you.”
This is still true, but we’re beginning to see more cases where organizations are being impacted by the fallout effects of advanced persistent threat (APT) actors, even when they are not the intended target.
The reason APTs target these commonly used systems is fairly straightforward. Gaining access to emails and stealing credentials that allow them to dig deep into targets can yield mountains of valuable information. These compromised credentials can lead to unintentional insider threats, since your employees are no longer the sole proprietors of their accounts. Whatever access they had within your organization is now access the attackers have, as well, and can create a serious challenge to your data loss prevention goals. In the game of cyberespionage, some of these actions might be considered fair game.
However, as these malicious actors undermine the safety of mainstream services like Microsoft Exchange Server, they are also expanding the playing field of a game whose rules and boundaries are already murky, at best.
One concerning aspect of large-scale attacks like those that compromise widely used software like SolarWinds and Microsoft Exchange Server is that these attacks impact all users of that software, even if they are not the intended target. So even if Chinese hackers are targeting a defense contractor or a U.S. government office, specifically, your organization might end up as collateral damage.
There’s another metaphor about using a machete versus a scalpel; replace the machete in that adage with a barrage of ICBMs versus a scalpel, and you’re closer to the reality of the threat.
This is not to say that the SolarWinds and Exchange Server attacks are exactly the same. There is evidence that the (allegedly Russian-run) campaign against SolarWinds could have put a large number of organizations at risk, those responsible were actually very selective with regard to who was actually compromised. Furthermore, they included measures to make it very easy to nullify threats to unintended targets if it looked like their campaign might get out of control. In the gray area of APTs, we might consider this operation an act performed by hackers with a conscience.
Compare this to the Microsoft Exchange Server incident, which was the polar opposite. By all indications, it was reckless and downright ignored the potential harm it could – and did – cause.
Unfortunately for the organizations exposed in the Exchange Server attacks, these initial expansive compromises are only the beginning of their troubles.
While the Hafnium APT crew likely decided to pass over most of the compromised organizations in favor of more interesting targets, they left open holes for other actors to access their victims.
Reports indicated that the Hafnium group dropped an estimated 22,731 web shells found on the Microsoft Exchange Servers. Thus far, the Hafnium team made it easy for others to come in and do their dirty work with very little extra effort expended.
According to some reports, based on the web shells found, some of the victims’ servers had as many as eight different backdoors created on their systems. Those victims have a lot more work ahead of them in defending their systems. This is because the patches for the zero-day vulnerabilities are only really effective for plugging the holes used for the breach itself. If the attackers have popped their web shells in the system already, then they are already in the second stage of the attack and additional measures are required to kick them out of the system. Reaching a safer state takes time and the tools to know what to look for. In that time, an attacker could already be moving laterally, wreaking all kinds of havoc.
We are already seeing the impact.
Reports have shown an exponential rise in attacks on Microsoft Exchange Servers by a combination of APTs and criminal groups using Hafnium’s web shells to gain access to victims. We are even seeing a rudimentary, yet effective, ransomware campaign make its way around the web. And it’s just the first of many, most likely.
Thankfully, the news is not all doom and gloom.
How to Respond to the Exchange Server Attack
Recent reports indicated that security teams have been exceedingly proactive in patching their Exchange Servers with the fixes provided by Microsoft. As of March 22, 92% of systems had already been patched or used other mitigation strategies to prevent exploitations.
Microsoft also has released a tool to help with these investigation efforts. The Biden Administration’s cybersecurity team, led by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, has been aggressive in reaching out to the private sector to take action.
So what should organizations be doing to protect themselves from this attack and be better prepared for future intrusions?
The first thing to do, if you have not done so already, is patch your server. Go do that now. We’ll wait.
Next, perform an analysis of your server to look for signs that you might have been compromised. As noted above, the use of web shells is a complicating factor, because they are very persistent and may remain even if you have patched. Use Microsoft’s tool to run this automated investigation.
3. Mitigate and Detect
Make sure that you have behavior analytics and activity monitoring solutions in place to detect anomolous behavior that can signal intruders in your network. Breaches are a reality of the cybersecurity game, especially in the “perimeterless” state of affairs, so being able to catch malicious intruders posing as legitimate users is essential.
4. Consider Transitioning to the Cloud
Consider making the move to a Microsoft-hosted version of Exchange, for example. The cost calculation is different since you are basically renting the service instead of hosting it on your own server. The major upside, from a security standpoint, is that a lot, though not all, of the work required to keep your cloud-based Exchange secure falls on Microsoft.
Preparing for a Riskier Future
Given how bad this could have been, the general sense among many security professionals is that we got off easy, this time.
Microsoft seems to have gotten their act together quickly, with patches and the surrounding community and organizations patching in record time. Kudos, all around.
But if we learned anything from SolarWinds and the Exchange Server incidents, it is that determined, well-resourced actors are willing to risk a lot, and ignore collateral damage in pursuit of their goals. If your organization happens to get caught in the blast radius, then so be it.
The best that we can do is to stay on top of our security updates when they come out, and continue to monitor for breaches — and hope that cooler heads will make better operational decisions in the future.