{"id":1358,"date":"2021-03-03T20:55:00","date_gmt":"2021-03-03T20:55:00","guid":{"rendered":"https:\/\/www.pax8.com\/future-blog\/alert-hafnium\/"},"modified":"2023-05-17T00:59:41","modified_gmt":"2023-05-17T00:59:41","slug":"alert-hafnium","status":"publish","type":"post","link":"https:\/\/www.pax8.com\/blog\/alert-hafnium\/","title":{"rendered":"Protect against HAFNIUM 0-Day Exploits"},"content":{"rendered":"

Last updated on Wednesday, March 10, 2021 at 4:30pm<\/i>\u00a0MT.<\/i><\/p>\n

Immediate actions to take to protect your clients and your business.<\/p>\n

On Tuesday, March 2, 2021, Microsoft announced that they\u00a0identified new nation-state cyberattacks<\/a>, named\u00a0HAFNIUM,\u00a0using previously unknown exploits that target\u00a0vulnerabilities in\u00a0the company\u2019s on-premises Exchange Server software.<\/p>\n

In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.<\/p>\n

The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected, and Microsoft\u00a0has\u00a0no evidence that\u00a0HAFNIUM\u2019s\u00a0activities targeted individual consumers or that these exploits impact other Microsoft products.<\/p>\n

Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments<\/b>\u00a0<\/b>you own\u00a0or are managing for a customer or advise your customer\u00a0to take\u00a0these steps.\u00a0Here’s what you need to know and do to protect your on-premises\u00a0Exchange servers from falling victim to a\u00a0HAFNIUM\u00a0attack.<\/p>\n

How\u00a0The\u00a0HAFNIUM\u00a0Attacks\u00a0Work<\/h2>\n

While\u00a0based in China,\u00a0HAFNIUM\u00a0conducts its operations primarily from leased virtual private servers\u202f(VPS)\u202fin the United States.\u00a0The attacks\u00a0include three steps:<\/p>\n

1. It gains\u00a0access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.<\/p>\n

2. It creates\u00a0what\u2019s called a web shell to control the compromised server remotely.<\/p>\n

3. It uses\u00a0that remote access\u00a0\u2014\u00a0run from the US-based private servers\u00a0\u2014\u00a0to steal data from an organization\u2019s network.<\/p>\n

Immediate\u00a0Actions\u00a0to Take<\/h2>\n

On March 3, 2021, Pax8 hosted a live Q&A where we discussed the immediate actions you can take to defend against this urgent cyberattack \u2014 as well as how to protect your clients and your business from these types of cyberattacks in the future. Watch the full recorded session below.<\/p>\n

New Consolidated Guidance from Microsoft<\/h3>\n

Microsoft has shared additional guidance and product updates to help you and your clients following last week\u2019s\u00a0March 2021 Exchange Server\u00a0Security Updates<\/a>.\u00a0The below guidance consolidates information from multiple Microsoft blogs and communications to explain the situation and help clarify the steps required to respond:<\/p>\n

\u2022<\/strong> An updated MSRC blog post Multiple Security Updates Released for Exchange Server \u2013 updated March 8, 2021<\/a>\u00a0to provide a comprehensive overview of the security updates for Exchange Server and recommended steps to patch and remediate.<\/p>\n

\u2022 <\/strong>Step-by-step instructions on patching and remediation<\/a>, detailed by version of Exchange Server.<\/p>\n

Regardless of your long-term plans for Exchange on-premises, these steps should be taken\u00a0immediately\u00a0to secure on-premises deployments from these newly found zero-day threats:<\/p>\n

Immediately Patch\u00a0Your Exchange Environments<\/h3>\n

A major zero-day incident is the exact scenario for which abnormal patching schedules exist. Just like Microsoft broke their normal patch release schedule, you must not wait for Patch Tuesday to deploy these patches.<\/p>\n

Exchange patch information:<\/p>\n