Microsoft identified a pattern of zero-day exploits being used by a group of malicious actors, now known as HAFNIUM, to attack on-premises Microsoft Exchange Servers. While HAFNIUM has been known as a state-sponsored threat actor operating out of China to target entities in the United States for exfiltrating information about industries, infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, it operates using leased virtual private servers (VPS) in the United States. In this article, we will elaborate on HAFNIUM and zero-day exploits, and how to protect against them.
How Does the HAFNIUM Zero-Day Exploit Work?
The sophisticated attack on on-premises Exchange Server happens in 3 steps.
- The actor gains access to on-premises Exchange Servers either using stolen passwords or by exploiting vulnerabilities that had not yet been discovered, and disguises as someone who has legitimate access.
- They then create a web shell to remotely control the compromised server.
- Finally, they use remote access from a U.S-based private server to steal data from organizations whose Exchange Servers have been compromised.
How to Determine If Exchange Server Is Compromised by HAFNIUM?
Microsoft has shared several resources, including indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate if their systems have been compromised by the HAFNIUM attack and implement proactive detections. Here are some methods to check if on-premises Exchange Servers have been compromised.
- Run the script provided by the Microsoft Exchange Server team to get an inventory of the patch-level status of on-premises Exchange servers.
- Scan the Exchange log files for HAFNIUM indicators of compromise (IOC) for addressing address performance and memory issues.
- Check for suspicious web shell hashes, paths, or file extensions.
What to Do After HAFNIUM Zero-Day Exploits?
Here are the immediate steps to be taken after the HAFNIUM zero-day exploits.
- Take inventory of the on-premises Exchange Servers and apply the out-of-band updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, and CVE-2021-26858.
- Scan the Exchange Server even if the patches have been applied, as the vulnerabilities could have been exploited as early as January 2021.
- Monitor activity in Exchange Servers and endpoints. Post-exploit activities, such as the launching of PowerShell from web server applications, could mean that further steps are necessary.
Apps4Rent Can Help Fix HAFNIUM Zero-Day Vulnerabilities
Apps4Rent is one of the oldest hosted-Exchange service providers that has been operating since 2003. We have thousands of Exchange Server users on different Editions and Versions of Microsoft Exchange, whom we have been protecting against such attacks, minimizing damage, and proactively managing Exchange Servers on their behalf.
If your organization is using Exchange Server and needs assistance with investigation and patching for the HAFNIUM zero-day exploit or the recent Solorigate incident, our Microsoft-certified experts, who are available 24/7 via phone, chat, and email can provide consulting services. Additionally, we can even provide fully managed Exchange Server hosting services, or help you migrate to the always-updated Exchange Online service in the appropriate Office 365/ Microsoft 365 plan for better protection against such attacks in the future.