Following Microsoft’s news about Hafnium, IT Security company Sophos has been closely monitoring the issue and is providing regular advice on how organizations should threat hunt and mitigate the attack/potential attack.
Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Centre (MSRC) release of Multiple Security Updates Released for Exchange Server.
Customers are urged to update their on-premises systems immediately.
Exchange Online is not affected.
Hafnium primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Mat Gangwer, senior director of Sophos Managed Threat Response, comments: “These vulnerabilities are significant and need to be taken seriously. They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet means that many organizations running an on-premises Exchange server could be at risk.
“Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells,” he says. “This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present.”
Gangwer says organisations running an on-premises Exchange server should assume they are impacted and should immediately patch their Exchange devices and confirm the updates have been successful.
“However, simply applying patches won’t remove artifacts from your network that pre-date the patch. Organisations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralize the attack and remove the adversary from their networks.
“Organisations should review the server logs for signs that an attacker may have exploited their Exchange server,” he adds.
Many of the current known indicators of compromise are web shell-based, so there will be file remnants left in the Exchange server. “An overview of files and any modifications to them is therefore important. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution.
“If you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next,” Gangwer says. “You need to understand how long or impactful this activity may have been. What is the gap between appearance of the web shell or other artifacts in your network and the moment of patching or discovery? This is often a good time to ask for external support if you’re not sure what to do. Third-party forensic and incident response can be vital at this stage, providing experienced threat hunting and human intelligence that can dive deep into your network and find the attackers.”