Last updated on Wednesday, March 10, 2021 at 4:30pm MT.
Immediate actions to take to protect your clients and your business.
On Tuesday, March 2, 2021, Microsoft announced that they identified new nation-state cyberattacks, named HAFNIUM, using previously unknown exploits that target vulnerabilities in the company’s on-premises Exchange Server software.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.
The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected, and Microsoft has no evidence that HAFNIUM’s activities targeted individual consumers or that these exploits impact other Microsoft products.
Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you own or are managing for a customer or advise your customer to take these steps. Here’s what you need to know and do to protect your on-premises Exchange servers from falling victim to a HAFNIUM attack.
How The HAFNIUM Attacks Work
While based in China, HAFNIUM conducts its operations primarily from leased virtual private servers (VPS) in the United States. The attacks include three steps:
1. It gains access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
2. It creates what’s called a web shell to control the compromised server remotely.
3. It uses that remote access — run from the US-based private servers — to steal data from an organization’s network.
Immediate Actions to Take
On March 3, 2021, Pax8 hosted a live Q&A where we discussed the immediate actions you can take to defend against this urgent cyberattack — as well as how to protect your clients and your business from these types of cyberattacks in the future. Watch the full recorded session below.
New Consolidated Guidance from Microsoft
Microsoft has shared additional guidance and product updates to help you and your clients following last week’s March 2021 Exchange Server Security Updates. The below guidance consolidates information from multiple Microsoft blogs and communications to explain the situation and help clarify the steps required to respond:
• An updated MSRC blog post Multiple Security Updates Released for Exchange Server – updated March 8, 2021 to provide a comprehensive overview of the security updates for Exchange Server and recommended steps to patch and remediate.
• Step-by-step instructions on patching and remediation, detailed by version of Exchange Server.
Regardless of your long-term plans for Exchange on-premises, these steps should be taken immediately to secure on-premises deployments from these newly found zero-day threats:
Immediately Patch Your Exchange Environments
A major zero-day incident is the exact scenario for which abnormal patching schedules exist. Just like Microsoft broke their normal patch release schedule, you must not wait for Patch Tuesday to deploy these patches.
Exchange patch information:
- March 2, 2021 Security Update Release – Release Notes – Security Update Guide – Microsoft
- CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
- CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
- CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
- CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
Check for Indicators of Compromise
Microsoft has released excellent documentation around the IoCs for these attacks. After patching, you should ensure that your client’s environment was not impacted by this threat activity. If you find signs of compromise, patching is not enough. Attackers will often leave other backdoors, allowing them access even after you patch. This is even more likely to occur now as the threat actors are aware that patches are being deployed and will look to persist their access. Act to identify and remediate other backdoors or exploits in the environment.
Harden Your Exchange Environments
The prevalence of zero-day incidents has been increasing over time. Traditional methods of deploying endpoint protection to servers is not enough. You must take a proactive, “assume breach” approach to securing on-premises infrastructure.
To aid this, you should consider leveraging a managed SOC (Security Operations Center) vendor (SOC as a Service) such as RocketCyber or NovaSOC. These Pax8 vendors offer free 30-day trials and specialize in staying on top of these threats and their associated Indicators of Compromise and will go hunting for them. This proactive approach can alert you to a potential threat, empowering you to remediate immediately.
The exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks. Microsoft continues to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.
Planning Your Next Steps: Moving to the Cloud
Once you have plugged the holes, it is time to look at the next steps for ensuring long term security. There are two key paths to consider.
Zero-days impacting on-premises software is nothing new. Clients in the Microsoft 365 ecosystem benefit from Microsoft’s multi-billion-dollar security investments and extensive team of cyber security professionals.
While no environment is immune to these sophisticated attacks, Microsoft’s investment, and security posture position them as a formidable player in prevention, detection, and rapid remediation.
Reach out to Pax8 Professional Services to plan your client’s move to Microsoft 365.
More Resources & Information
For more information, you can access additional resources here:
• Microsoft On the Issues blog
• Defending Exchange servers under attack
• Released: March 2021 Exchange Server Security Updates
• Out of Band Exchange Release Customer Alert
• Pax8 Resource: Microsoft Exchange Cyberattack Information
Don’t wait to take action on this extremely urgent cybersecurity risk. Following the immediate actions listed above, the best way to avoid future attacks is to move your business off-prem. To do this, talk with your Cloud Wingman today or work with our Pax8 Professional Services team to ensure that you and your clients’ Microsoft environment stays safe and secure.
