{"id":6113,"date":"2021-03-11T19:34:32","date_gmt":"2021-03-12T03:34:32","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6113"},"modified":"2023-10-12T11:23:40","modified_gmt":"2023-10-12T18:23:40","slug":"hafnium-targeting-exchange-servers-with-zero-day-exploit","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/hafnium-targeting-exchange-servers-with-zero-day-exploit\/","title":{"rendered":"HAFNIUM Targeting Exchange Servers with Zero-Day Exploit"},"content":{"rendered":"

Early in March, Microsoft released a set of <\/span>Exchange Server Security Updates<\/span><\/a> for various versions of Exchange servers. These updates were in response to published Microsoft Common Vulnerabilities and Exposure (CVE), the first of which allows threat groups to authenticate to the Exchange server. Once authenticated, the rest of the vulnerabilities allowed the threat actor to gain complete control and remotely execute commands on the exploited Microsoft Exchange servers anywhere in the world.<\/span><\/p>\n

Microsoft\u2019s blog1<\/sup><\/span> entitled, \u201cHAFNIUM targeting Exchange Servers with 0-day Exploits\u201d <\/span>notes that Microsoft <\/span>had detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. The threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to <\/span>HAFNIUM<\/span><\/a>, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.<\/span><\/p>\n

Many thousands of organizations within the United States have already been breached by the HAFNIUM threat actor group. HAFNIUM is alleged to work from within China and seems to focus on stealing information on infectious disease research, defense contractors, policy think tanks, and more. It may be the case that the HAFNIUM threat actors and others control many thousands, if not \u201chundreds of thousands\u201d of Microsoft Exchange Servers worldwide.2<\/sup><\/span> The press has reported different estimates as to the current number of victims. This past Friday, the Wall Street Journal cited a source3<\/sup><\/span> that said the number of victims of the attack could be 250,000 or more.<\/span><\/p>\n

A RAPIDLY ESCALATING THREAT<\/span><\/i><\/h3>\n

Beyond the danger presented by the HAFNIUM threat actor group, it is also believed that at least four other threat actor groups4<\/sup><\/span> are also exploiting the Exchange server vulnerabilities. While HAFNIUM has been using the flaws in the Exchange server to steal email from organizations which they targeted, now that the vulnerabilities are public and well understood, many other threat actor organizations are moving rapidly to exploit them.<\/span><\/p>\n

In further rapid response, the Cybersecurity & Infrastructure Security Agency (CISA) issued Alert AA21-062A5<\/sup><\/span> on \u201cMitigate Microsoft Exchange Server Vulnerabilities.\u201d CISA noted within the alert that \u201cthe successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network.\u201d\u00a0<\/span><\/p>\n

REVIEW OF THE MICROSOFT CVEs<\/span><\/i><\/h3>\n

Per Microsoft, these vulnerabilities are part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. <\/span>The specific CVE\u2019s to note follow below:<\/span><\/p>\n