A Chinese hacker group we know as “Hafnium” exploited four vulnerabilities in MS Exchange Servers that run Outlook Web App (OWA) allowing them to access corporate email (and to basically run whatever commands they desired). Microsoft announced in March that hundreds of thousands of email servers (not Office 365) were compromised and were ripe for exploit by the very busy Hafnium team.
On January 6, Hafnium started in earnest to exploit email systems that they had previously installed “web shells” on. Web shells are small web applications that act as a terminal. They allow attackers to execute commands and receive feedback from the compromised system. In March, Microsoft advised to its corporate Exchange Server users to look for tell-tale signs of the compromise; namely a web shell operating on their Exchange server. And of course, Microsoft offered patches that close the vulnerabilities … perhaps after Hafnium had their way with the email server.
This is what the public generally knows:
- Hafnium exploited four zero-day vulnerabilities that made their attack possible.
- Hafnium – typical of other Chinese hacking teams – appears to be very interested intellectual property. Their targets are often consultancies, law firms, and other profession services firms who hold tremendous amounts of intellectual property on behalf of many clients.
- Hafnium worked very hard to grab as much data as they could from as many servers as they had exploited since January, and are still actively exploiting systems that are not yet fixed.
- Microsoft’s fix was readily available and continues to be available.
This is what you should not be focused on:
- Don’t wait for vendors to announce vulnerabilities so you can react to them. Use defense-in-depth approaches, like a web application firewall (WAF) in front of your OWA server, vulnerability scanners, file integrity monitors, and patch management systems.
- Don’t think you’re done when you patch your system. If you have a rogue web shell operating on your email server, you have some forensic analysis to do.
- Don’t breathe a sigh of relief because there was no PII in your mail server. Intelligence about who knows whom and confidential corporate information is what the Chinese are after. Expect a rise in social engineering and phishing attacks soon if you were compromised.
This is what you should be focused on:
- Follow Microsoft’s advice for investigating and patching your email servers.
- Include corporate secrets (including who knows whom, intellectual capital, and business confidential communications) in your risk management program as highly sensitive information, and protect your email systems as comprehensively has you secure your most sensitive systems and applications.
- Include all web services (like OWA) in your WAF protection.
- If your email server was compromised and you did not detect the added files, new services, and new communications, add your email services to your file integrity monitoring, patch management, and SIEM alerting programs.