Microsoft Exchange Attack: Am I affected and what do I do next?
Rarely do cyber-espionage campaigns appear on the scale of the current Microsoft Exchange Server situation. Four vulnerabilities were exploited by a state-backed threat group linked to China, according to Microsoft.
At least 30,000 organizations are already thought to have been attacked in the US, but the number may be much larger globally — giving the hackers remote control over victims’ systems. In our most recent check of Shodan, there are still around 63,000 exposed servers vulnerable to these exploits.
Applying the available patches should be a top priority, or disconnect any vulnerable servers you may be running if you can’t patch immediately. At this time, anyone with an Exchange server needs to take investigative steps to check for signs of compromise.
We fully echo the recommendations from Microsoft and others. In addition, existing XDR customers can use pre-built queries in Trend Micro Vision One to search for signs of the attack in their environment. These queries can be found in our Knowledge Base article, along with details on the added detections and protections that customers can leveraged across all security solutions.
The attacks have been traced back to January 6, 2021, when a new threat group subsequently labelled “Hafnium” by Microsoft began exploiting four zero-day bugs in Microsoft Exchange Server. The group is using virtual private servers (VPS) located in the US to try to hide its true location. Microsoft issued emergency out-of-band patches last week, saying at the time:
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”
If chained, the vulnerabilities could be exploited to allow attackers to authenticate as the Exchange server, run code as System and write a file to any path on the server. After exploiting the four bugs, Hafnium is said to deploy web shells which allow the group to steal data and perform additional malicious actions to further compromise their targets. This could include deploying ransomware to victim organizations.
Both the White House and the US Cybersecurity and Infrastructure Security Agency (CISA) are extremely concerned about the far-reaching consequences of the campaign. CISA ordered government agencies to patch now or disconnect their on-premises Exchange servers.
There is also a possible connection to the Chopper ASPX web shell research we published back in January 2021. Trend Micro Research is analyzing further how the campaigns may be related, and whether additional related campaigns may be underway.
Am I impacted?
In Microsoft’s initial assessment it claimed that Hafnium has previously targeted organizations in sectors such as infectious disease research, legal, higher education, defense, policy think tanks and NGOs. However, there are suggestions that the latest expansive wave of attacks may be the work of other threat actors. Whatever the source, former CISA boss Chris Krebs warns that SMBs, education sector organizations, and state and local governments may be disproportionately affected as these often have fewer resources to spend on security.
If you run on-premises Exchange Servers, here is how to check if you’re impacted:
- Scan your Exchange Server logs with the Microsoft detection tool to check for compromise.
- Run a manual sweep with Trend Micro Vision One for the known Indicators of Compromise (IoCs) associated with this campaign.
What happens next?
If you’ve run a scan and found that your environment hasn’t yet been compromised, and you haven’t yet patched, apply the patches released by Microsoft as soon as possible.
If you run the scan using Microsoft’s tool and see evidence that an attacker may have exploited these vulnerabilities in your environment, you are now in incident response mode.
But the approach you take may depend on your in-house resources and situation. Here’s our advice for SMB and enterprise organizations.
- If you don’t have an in-house security team, contact your security vendor or MSP for support.
- If you have an in-house incident response team, they will work to identify next steps.
- Do not re-image any machines until after a forensic scan has been done to ensure you’ve preserved any IoCs.
- Contact your legal team to discuss breach notification requirements.
For more information on Trend Micro’s detections and added protections specific to this campaign, please see this Knowledge Base article, which will be updated as more information is learned: https://success.trendmicro.com/solution/000285882.