The Microsoft Exchange Server Exploits: What Happened and How to Stay Protected

The Microsoft Exchange Server Exploits: What Happened and How to Stay Protected

If your organization has a premise Microsoft Exchange Server 2013, 2016, or 2019, you could be at significant risk from HAFNIUM. To assess your environment, implement the patch, or address a potential breach, our team is here 24/7 and can escalate to incident response as needed. Click here to get started. 

Microsoft has become aware of multiple bad actors attacking organizations with on-premise Exchange Servers. These attacks are being attributed to Hafnium, a state-sponsored APT group from China. Here’s everything you need to know about these attacks and how to keep your organization protected. 

What happened?

Starting in early March, Microsoft detected multiple zero-day exploits affecting on-premise versions of Microsoft Exchange Server 2013, 2016, and 2019. While Exchange Online was not impacted, organizations with a hybrid Exchange environment are also at risk. These attacks are limited and targeted, but potential outcomes could be catastrophic.  

The attackers use vulnerabilities to compromise on-premise Exchange servers which enabled them to access email accounts as well as install additional malware for further attacks. Once access was secured, the attackers deployed web shells on the compromised server in order to capture data from the account and execute commands remotely. 

The vulnerabilities exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Full details about these vulnerabilities from Microsoft can be found here. 

What does that mean for my Microsoft Exchange Server?

This attack is especially harmful because it not only compromises current data, but it also puts the attackers in a position to strike again in the future. Portions of the attack chain can be triggered easily in compromised environments since there’s already remote access.  

“These vulnerabilities are used as part of an attack chain," Microsoft says. "The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file." 

What can I do to remain protected?

It’s important that any at-risk organization takes immediate action including assessing for indicators of compromise, threat hunting, and further securing of server data. Microsoft released a security patch for affected environments that should be implemented as soon as possible. Read about these critical security updates here. 

If your organization needs additional resources dedicated to this critical issue, reach out to the team at Vandis today. We can assess your environment, implement the security patch, address any breaches, and discuss further measures your organization can take to prevent future breaches. 

To get started, call (516) 281-2200 or Contact Us.