Last week, reports of a large-scale attack on Microsoft Exchange servers began circulating online. Initial reports point to the cyberespionage group Hafnium. The scope of the compromise is likely to be well beyond the initial 30,000 organizations as reported by Brian Krebs. We'll add additional reference resources to this post that cover the timeline's specifics, technical details of the attack, and other pertinent information that could be useful to your organization.
Here's what we know so far:
Vulnerable Versions of Microsoft Exchange
The following on-premise versions of Exchange that utilize public-facing services like Outlook Web Access (OWA) and Unified Messaging should be addressed immediately.
- Exchange Server 2010
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
*Office 365 and Exchange Online platforms are not affected by this attack
The Attack Chain and CVEs
An attack chain is a sequence of steps carried out by an adversary to compromise a target system. This Microsoft Exchange hack consists of a group of Common Vulnerabilities and Exposures (CVEs) that allow the adversary to execute code and manipulate the Exchange system with just public-facing HTTP access to the OWA server. This group of CVEs is known as ProxyLogon. If your 2013, 2016, or 2019 Exchange environment allows web access, that's all an attacker needs to get started. How does this happen?
- The attacker makes an untrusted connection to your public-facing Exchange server on port 443.
- The attacker runs malicious code using the SYSTEM account on the target (a.k.a. your Exchange server).
- Now, the attacker can use a variety of exploits to write files and manipulate the Exchange environment.
- The attacker establishes a web shell that enables a persistent connection.
- The compromise spreads to other internal or external systems and escalates to the data exfiltration phase where an attacker can remove data from your network.
*CVEs used above include: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
This attack is uniquely concerning given the sheer quantity of targeted systems and the inherent trust between public-facing Exchange systems like OWA and internal Exchange servers like the mailbox database servers. This relationship can expedite the attacker's ability to advance to internal systems.
Remediation and Mitigation
Microsoft recommends applying updates to affected Exchange environments immediately. It is worth noting that you must apply missing cumulative updates before applying the March Security Updates. Applying the security updates to targeted Exchange servers is a critical step, but it may not be the correct first action for your organization. Given the severity of this incident, the criticality of the systems at risk, and the potential presence of an existing backdoor connection created by an adversary, re-imaging systems is highly recommended. Here are a few steps to consider while you begin remediation:
- Re-image or patch existing servers with the latest security updates. Most Exchange environments divide roles among multiple servers. Your team should prioritize Internet-facing servers responsible for services like OWA. A variety of mitigation options are available as well in Microsoft's blog post.
- During re-imaging and patching, scan systems for indicators of compromise (IOC).
- Continue recovery efforts. Examine internal systems for signs of lateral movement originating from your Exchange environment.
Ultimately your investigation, remediation, and mitigation activities should be driven by your organization's incident response plan. If your organization's IT team or Managed Service Provider (MSP) can re-image the Exchange servers and restore them from backup; this would be an appropriate response and not out of line considering the severity of the attack. Please feel free to reach out to your account team or email us at firstname.lastname@example.org if you have any questions.