Last week, Microsoft released patches to resolve four severe vulnerabilities in Exchange Server that are being exploited by a Chinese state-sponsored group called HAFNIUM. At the time, Microsoft said that the bugs were “limited, targeted attacks”.
Six days have passed and it’s now being reported that over 60,000 Exchange servers have been compromised.
Advanced Data began patching client servers on the evening of March 2nd, and had most of them completed that night. There were some servers that couldn’t be taken down for maintenance, and others had problems erroring out during the upgrade process, but they were completed in the following days.
Microsoft today released a tool to detect if a server was compromised by these new vulnerabilities. The tool is a PowerShell script that will scrape logs for possible hack attempts and can be found on Github.
We ran this and found that a couple of our clients had been breached and that the breaches happened on Feb 28th — before Microsoft had notified the public of the vulnerability! For those environments we’ve been busy isolating servers, restoring backups, changing passwords, and locking down security policies.
My thoughts so far:
This Vulnerability is BRUTAL:
The fact that compromises occurred before public notice is a bad sign. I’m guessing that this will rank up there with Heartbleed (2014) and EternalBlue (2017). A challenge admins face is that Exchange Outlook Web App is almost always publicly facing. EternalBlue attacked SMB, which was only open to the outside for very few organizations, and for weird reasons I can’t fathom!
Exchange wasn’t the Target:
The details aren’t clear yet on what the end-game is for this yet-unnamed exploit. Hour-by-hour there are new details emerging, but my guess is that Exchange wasn’t the target, just the way for the criminals to get their foot in the door. This first step is known as the “initialization vector” in infosec circles.
Limit Exposure:
I’m considering what more can be done to protect servers from the unexpected. At this point the IT community is not aware of a security platform (antivirus, intrusion prevention) that caught this exploit. AV and IPS signatures were updated in the hours following the announcement, but the attacks were clearly under way before security venders could react. Once the dust settles I’ll be meeting with my team to discuss what standards we can implement to prevent or limit exposure like this in the future.
The Final Straw:
Some reports are speculating that the original target was the biggest prize of them all — Microsoft 365. Whether or not that’s true, we can’t tell. But I do know that this event will trigger many admins to use this as the “final straw” for why they don’t want to manage an on-premise Exchange Server any longer.
But what happens if (when) Microsoft 365 gets hacked some day? Is it more secure to be in the common cloud or on a discrete server in your own control? I’m not going to pretend to know the answer to that because I see pros / cons of both, and many will be pondering this topic in the coming days.
Stay safe, and please let us know if you have questions.