CISA and FBI Issue Joint Advisory on Exchange Server Hafnium Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) announced a Microsoft Exchange Server joint advisory (AA-21-069) on Wednesday that offers consolidated advice for Exchange Server users on detecting Hafnium attacks.
The advice, which offers practical measures for IT pros to take, is based on republished materials, and was "partially derived from multiple open source reports." Organizations using Exchange Server products currently are under active attack by a supposed nation-state attacker, dubbed "Hafnium," via zero-day vulnerabilities in those products. Microsoft's Exchange Online serviced isn't considered to be vulnerable, though.
In general, CISA and the FBI are advising organizations running Exchange Server to look for indicators of compromise using various tools and logs. If indicators of compromise are detected and organizations lack forensic skills for further investigation, then they should "immediately disconnect Microsoft Exchange on-premises servers."
Moreover, organizations are advised to report indicators of compromise, the presence of Webshell code, unauthorized access to accounts and the "evidence of lateral movement by malicious actors" to either CISA or the FBI, per the advisory document.
The joint CISA-FBI advisory may be useful because so much advice has dribbled out since Microsoft's March 2 disclosure of the active attacks on Exchange Server, leveraging multiple zero-day vulnerabilities.
Many other voices have since chimed in on the topic. For organizations that already know they've been compromised, Microsoft Most Valuable Professional (MVP) Jaap Wesselius described the nuances involved in destroying and rebuilding an Exchange Server implementation in this blog post.
VMware Carbon Black's Threat Analysis Unit published detection steps to take for Exchange Server users. Users of the VMware Carbon Black security solution running "3.6 sensor versions are protected out of the box," VMware's announcement explained.
Microsoft recently offered downloadable security patches for Exchange Server implementations lacking the latest cumulative updates (CUs) as a temporary measure to get products quickly patched, but not all CU versions were supported. A helpful list of the supported CUs was compiled by MVP Michel de Rooij in this blog post. If an organization is running an Exchange Server CU version that's not on the list, then they'll need to upgrade to a supported CU before applying Microsoft's Hafnium security patches.
Organizations may be running Exchange Server simply because Microsoft requires it for synchronization purposes with its online services. This problem was recounted by MVP Steve Goodman in a recent Petri post. He described the years-long history of this circumstance, which has now become a potential security issue for organizations with "hybrid" (cloud services plus on-premises servers) environments. Microsoft acknowledged this issue in recent times during Ignite 2020, but it apparently went unmentioned during this month's Ignite 2021 event, Goodman noted.
SophosLabs has published proof-of-concept attack tools for defense against Hafnium attacks. Here's how they were described by Andrew Brandt, principal researcher at Sophos:
As mentioned in the Sophos News article, the proof-of-concept tool gives Blue and Red teams and the broader security community the opportunity to simulate an attack like Hafnium's in order to develop stronger defenses.
IT solutions firm Quest plans to conduct an online public talk on detecting the Exchange Server Hafnium attacks, per this Quest announcement. The March 12 talk will feature discussions by MVPs Jeff Guillet, Michael Van Horenbeeck and Paul Robichaux, plus Bryan Patton of Quest.
Exchange Server Attack Timeline
Microsoft was first alerted to the Exchange Server attacks by security firm Devcore on Jan. 5, according to a timeline published in this KrebsonSecurity post. Security firms Volexity and Dubex also spotted the attacks in January, with Dubex notifying Microsoft on Jan. 27 and Volexity doing the same on Feb. 2.
Microsoft initially had planned to release fixes for the Exchange Server zero-day vulnerabilities on "update Tuesday" (March 9), but instead released them a week earlier (March 2), per the KrebsonSecurity timeline.
Another Hafnium timeline, produced in an article by Joe Slowik, a senior security researcher with security firm DomainTools, suggested that initial Hafnium group activity may have started a couple of months before the initial reporting by security researchers, possibly as early as November 2020.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.