On March 2, 2021, Microsoft announced an active zero-day exploitation by a state-sponsored threat actor group of four vulnerabilities present on 2010, 2013, 2016 and 2019 on-premises Exchange servers.
Who is behind the attack? Microsoft attributes the exploitation to Chinese cyber espionage group HAFNIUM. HAFNIUM is not a new cybercriminal group, and is known to target specific sectors, including but not limited to infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations (NGOs). In previous attacks, HAFNIUM utilized leased virtual private servers within the United States to perpetuate the attacks and exfiltrate data from victim organizations.
What is at risk? Microsoft reports the vulnerabilities, if exploited, allow access to email environments hosted on 2010, 2013, 2016 and 2019 on-premises Exchange servers, and could lead to the installation of additional malware to facilitate long-term and widespread access to victim environments.
On March 11, 2021, Microsoft announced it detected the introduction of a new family of ransomware, DearCry, after an initial compromise of unpatched on-premises Exchange servers.
How widespread is the impact? The vulnerabilities are believed to impact tens of thousands of organizations throughout the world, with over 30,000 organizations in the United States alone. The attack did not stop once Microsoft disclosed the exploit; instead, Microsoft reports an increased use of the vulnerabilities to perpetuate attacks of unpatched systems since its announcement.
What should victim organizations do? Organizations should assess their environment to confirm whether they operate a vulnerable Microsoft on-premises Exchange server, and if so, undertake the mitigation efforts recommended by Microsoft. Microsoft reports the recommended mitigation efforts will not evict an adversary who has already compromised a server. Various reliable forensic partners are recommending the following efforts be immediately undertaken by impacted organizations:
- Patch vulnerable services, with first priority given to those accessible from the internet. To patch these vulnerabilities, organizations should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange server.
- Assess the environment for indicators of compromise identified by Microsoft.
- Use additional tools such as Github’s Exchange Server HealthChecker script to determine if updates are necessary. This script does not support 2010 on-premises Exchange servers.
- Do not reboot the on-premises Exchange servers, as doing so will impact memory analysis capabilities necessary in the forensic investigation of this incident.
- Block known bad IP addresses at the firewall, as well as any IP addresses where a large amount of data is seen being sent and its is believed the traffic is not tied to legitimate users.
- Consider resetting enterprise user credentials.
- Run a full anti-virus exchange against not only the on-premises Exchange servers, but across the full environment to detect any malware or other malicious or suspicious activity within the systems.
Many organizations utilizing vulnerable servers report identification of the vulnerability exploit and automated installation of bots on their systems, with no additional malicious activity undertaken by the threat actors. While such a scenario may result in a low risk of information security compromise, organizations should discuss this incident with their cyber insurance carrier/broker, and depending on that conversation, consider accessing panel-approved expert incident response providers, including Mullen Coughlin. An approved incident response provider will then involve panel-approved forensic investigators to confirm – under privilege – whether remediation efforts additional to those recommended by Microsoft are appropriate. Counsel will also determine whether the organization has any legal obligations to disclose this event and what additional steps should be taken to appropriately document the investigation and respond to the event.
Organizations should also work with counsel to appreciate, in alignment with their Vendor Management Program, whether their information is housed by a third-party impacted by this event and undertake appropriate investigation of the third-party’s investigation and response.
If you have any questions about the threats posed by these vulnerabilities or suspect that your organization may have been a victim, please contact John Mullen (267.930.4791; ), Jenn Coughlin (267.930.4774; ) or any other Mullen Coughlin representative.