Microsoft HAFNIUM hack – Take action now
Unless you’ve been off-radar the past few weeks you’ll have seen Microsoft scrambling to patch a series of critical zero-day exploits discovered on their email platform MS Exchange. This post covers what you should do if you are an MS Exchange customer, how to check for compromise and importantly why Microsoft 365 Exchange Online customers cannot ignore the risks.
Collectively known as HAFNIUM the vulnerabilities can lead to a range of potential exploits, Remote Code Execution (RCE), server hijacking, data theft and further malware deployment affecting MS Exchange 2013, 2016 and 2019. Microsoft believe this was Initially identified and exploited by a nation state hacking group, but the exploitation of these vulnerabilities is now widespread with evidence, that since January 2021, they have been actively exploited by multiple threat actors and with Proof-of-Concept code now available online this is likely to increase. Microsoft is so concerned about the severity of these vulnerabilities that they have stepped outside of their standard support stance and released patches for unsupported Exchange versions that some customers may still have installed (All updates are available here https://support.microsoft.com/kb/5000871).
While patching is crucial and prevents initial exploitation, it is only half the battle. It won’t protect you from further exploitation if your systems have already been compromised, but how do you know if that is the case? Indicators of Compromise (IoC’s) will help you to determine if you’ve been breached and if so, when it occurred and what subsequent actions you need to take. Full technical details of what to look for are covered I here https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/
One last point that is important to clarify is who is affected by these exploits? Microsoft has been clear that Microsoft 365 Exchange Online is not affected leading to customers of the cloud platform to overlook this issue entirely. However, it is important to note that in some configurations, particularly where Active Directory synchronisation is in-place, an on-premises Exchange server should still exist for user management, as this is currently the only supported method for the management of email attributes for a synchronised user (this is documented here https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange). This has led to much confusion and I cannot emphasise strongly enough the importance that any Organisations with an Active Directory synchronised environment must check for the existence of Exchange within their environment and ensure its patched even if it is not used directly for mail flow or published to the internet.
For full information on this Microsoft has been keeping this webpage updated https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
The threat posed by the HAFNIUM vulnerabilities should not be underestimated by any organisation, if you have Exchange servers in your datacentre ensure they are patched and that you examine your environment for signs of compromise and remember, even if you have moved to Exchange online, you may still have Exchange servers on-premises that must be patched.
If you need more information, please contact the team here at Gardner Systems, you can easily book a 30 minute appointment here with our team to discuss.