So what exactly is going on?
By now you’ve probably heard about the latest major cyber attack, named Hafnium. According to Microsoft, this is an attack by what appears to be a state-sponsored organization that is targeting their on-premise Exchange Server email software running at companies across the globe. While the total number of victims isn’t known just yet, it is suspected to be in the tens, if not hundreds, of thousands. Research from FireEye Mandiant suggests that these attacks began as early as January 2021.
The seriousness of this attack cannot be understated. The White House and FBI have both issued statements about the attack. The US Cybersecurity and Infrastructure Agency (CISA) went so far as to issue an emergency directive mandating that all federal agencies to immediately update their on-prem Exchange Server software or disconnect it from the network.
Specifically, the attack focuses on four specific flaws in the Exchange software from versions 2013 through 2019. By exploiting these security gaps, the attackers are able to install a web shell on the impacted servers, which gives them administrative access to the victim’s servers and all of the data stored on them. Microsoft disclosed that four Exchange Server zero-day vulnerabilities were being used in attacks against exposed Outlook on the web (OWA) servers. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.
Microsoft has stated that this attack does not impact their cloud-based email service.
How do I know if I was impacted?
Security experts from across the industry are telling companies that if you are using on-prem Microsoft Exchange server that should assume that you have been compromised. Microsoft has released details about how to mitigate the effects of the attack. However, they acknowledge that applying the patch doesn’t remove attackers from your system. They provided guidance on how to scan your Exchange log files for Indicators of compromise here.
Keep an eye out for follow-up attacks
In the coming days we expect phishers to take advantage of the panic caused by this major attack by sending out a flurry of phishing emails that claim to provide links to scan your systems for Hafnium, fake Microsoft log in pages where you’ll be asked to enter your credentials and more. Companies with perimeter-based email security technology like Secure Email Gateways are particularly at risk, as these technologies are focused on finding malware and not anomalies in the mailbox itself. Be wary of any Hafnium-related claims you receive and stick to following official guidance from Microsoft and/or your incident response provider about how to properly identify and remediate the effects of this attack.
Where can I learn more?
This is a dynamic situation. Below are a series of links where you can find additional details about Hafnium. We will publish further information on our blog should it become available.
References:White House statement
Cybersecurity and Infrastructure Security Agency
Microsoft announces their MSERT (Microsoft Safety Scanner) tool now finds web shells from Exchange Server attacks
Detailed timeline of activities to date