Microsoft Exchange Server Hack Explained: Everything You Need to know

Ah, here we go again. A new day, and a new hack, and this time it’s Microsoft.

So, the story goes like this. A group of hackers out of China that Microsoft has dubbed Hafnium, exploited multiple zero-day vulnerabilities that have existed in the Exchange server codebase since 2010. China or not, here is how experts figure out who is behind an attack. First, the malware itself has tell-tale signs that take you back to the author, like encryption methods for blocks of obfuscated code. There are hints left by the compiler, like Unicode, strings, and then there are tactics, techniques, procedures, or what’s known as the TTP.

What is Microsoft Exchange and Zero-Day Vulnerabilities

Anyhow, if you didn’t know, Microsoft Exchange Server is Microsoft’s email, calendaring, contact, scheduling, and collaboration platform. It is deployed on the Windows Server OS by medium and large enterprises worldwide. A zero-day vulnerability is a software vulnerability that a vendor or a developer was unaware of. The zero refers to the number of days a vendor has known about the problem. Microsoft Exchange has an enormous customer base and these exploits have been attempted apparently by about a dozen different groups.

So, in this article, let’s talk about what happened, who did it, why it matters, and what it means for cybersecurity or IT professionals.

History of Microsoft Exchange Vulnerabilities

I hate to say, but we’ve been here before. In April 2020 or less than a year ago, Microsoft was warned by DHS CISA that hackers were targeting a critical vulnerability found in Exchange servers and most of those flaws remain unpatched. Whenever there is a new story that takes us by a surprise, it behooves us to revisit the events that led to it in a somewhat linear fashion. So, here is what we know about the Microsoft Exchange server hack.

Hack Overview

Early last week, Microsoft revealed that a China-based group called Hafnium has been launching cyberattacks against organizations by exploiting four zero-day vulnerabilities in on-premises versions of its Exchange Server software much like what we saw with SolarWinds. Microsoft also sells a hosted version of Exchange server known as Exchange Online and the cloud-hosted Office 365 email solution. These two remain safe and once again prove that software delivered from the cloud and managed by a big tech vendor remains the safest bet, more on that later.

Hack in Three Steps

As per Microsoft, the attacks are being carried out in three steps. First, the group can gain access to an Exchange server either by using stolen account credentials or by using the zero-day vulnerabilities to masquerade as someone who should have access. Second, the group can control the compromised server remotely by creating a web shell, a piece of malicious code that gives attackers remote administrative access. A web shell is a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised application. Third, the group uses remote access to steal data from an organization’s network. So, what is the primary objective that hackers are pursuing here? The data exfiltration. One of the largest Exchange servers installs base exists within the healthcare and IT verticals.

Hack Targets

As per Microsoft, the primary objective of Hafnium is to exfiltrate information such as infectious diseases, and target law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations. These are familiar targets when a nation-state actor is involved. While Hafnium group is located in China, apparently the group runs its malicious operations mainly through leased virtual servers located in the US, again something that we have already seen with SolarWinds. This hack against Microsoft Exchange is 1,000 times more devastating than the SolarWinds attack because Hafnium targeted small and medium-sized enterprises since SMEs do not have the capabilities to conduct a security posture.

Hack Timeline

Here is a linear timeline of how the events unfolded. The first week of January 2021, VOLEXITY and DEVCORE alerted Microsoft about spotting the exploits. February 18, Microsoft confirms with DEVCORE a target date of March 9 for publishing the security patches. Around Feb 26, the targeted exploitation turns into a global mass-scan where attackers start rapidly backdooring vulnerable servers. Now, responding to this escalation, Microsoft releases the patch a week earlier on March 2. By March 5, tens of thousands of US-based Exchange servers and hundreds of thousands of servers worldwide have already been backdoored. Like before, no one knows the actual number of victims, but they are definitely over a quarter million. No one knows how the number of attacker groups so rapidly increased, but one plausible explanation is that once Hafnium learned about the incoming patch and that made them share the exploit with other groups. Another explanation could be that there’s an exploit seller in common and that provided them the exploit or perhaps the price of the exploit went down in the underground market once patches were imminent and other groups piled on. These are the six hacker groups that were exploiting the vulnerability during the zero-day period. Hafnium, Tick, LuckyMouse, Calypso, Websiic, and Winnti.

What You Can Do About the Hack as a Cybersecurity or IT Professional

Now, let’s talk about the steps you can take to protect your organization.

1. Make it a priority if your Exchange server is reachable via the Internet. If your exchange install base has NOT been backdoored, something you can verify by running the script Microsoft has made available. The script looks for the IOCs within the Exchange server logs, then you can go ahead and patch and that takes care of it for now.
2. If your exchange server has been backdoored, you might need to rebuild your exchange server deployment from scratch using the backups. Be sure to scrub your backups for any compromised accounts, reset all passwords and secrets.
3. If you can’t patch your Exchange server, block internet access to it, or restrict access to it by blocking untrusted connections, or putting the server behind your VPN.
4. What else can you do? Well, consider switching to either hosted Exchange server online or switch to Office 365. This attack would have been devastating, had it happened in 2010. At the time, the Microsoft exchange server had over 70% market share and there was no Office 365 available. Fast forward to today, and about 60% of Microsoft email-related customers have already switched to Office 365 and some to Gmail for business.

Future Implications

Anyhow, so where we go from here.

Number one. You can fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying the ransomware.

Number two. The compromised Exchange servers are going to serve as the virtual doorway into the rest of the victim’s network.

Number three. Complicating the situation further is the availability of what appears to be the first functional public proof-of-concept exploit for the ProxyLogon flaws despite Microsoft’s attempts to take down exploits published on GitHub over the past few days. ProxyLogon is the name given to the Microsoft CVE, a vulnerability that allows an attacker to bypass authentication and impersonate users. The threat actors used this vulnerability to access on-premises Exchange servers, which enabled access to email accounts, and install additional malware to facilitate long-term access to victim environments. By examining the differences or diffing between a pre-patch binary and post-patch binary researchers were able to identify exactly what changes were made. They used these changes to then reverse engineer the original vulnerability and fabricate the proof-of-concept exploit.

Number four and finally, now the Biden administration has a real hard policy issue. The SolarWinds hack was significant, but this will affect far more organizations. The SolarWinds hackers stayed low profile the entire time. They targeted usual government targets and never transitioned to a pillage everything model. The Exchange attack shows a complete disregard for possible consequences on behalf of those responsible for the breach. Without consequences, you can expect these broad attacks to simply continue. There are currently no reasons why an attacker who has access to a zero-day shouldn’t simply go ahead and exploit every possible target when they know their exploit is about to lose value. We don’t know how to change this calculus, but hopefully, we can figure out it somehow.

THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.

★★ FURTHER READING LINKS ★★

ESET Report: https://bit.ly/3ewI7H1​

ProxyLogon: https://bit.ly/3vhCcM4​

Microsoft CVE-2021-26855 Script: https://bit.ly/30C9ves

★★ WHO AM I ★★

https://bit.ly/3qZsCLm