On March 3, 2021, Microsoft announced it had detected multiple exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. The exploits utilized a zero-day attack against four separate vulnerabilities in Exchange Server, which were disclosed on March 2.
Exploiting these four vulnerabilities together allows threat actors to take control of an on-premises Exchange server and access email accounts or install malware, which could be used for other, long-term attack activities. Microsoft has since released emergency patches for the vulnerabilities.
Microsoft Threat Intelligence Center (MSTIC) observed attacks carried out by Hafnium, a group assessed to be state-sponsored and operating out of China, primarily targeting US-based organizations running on-premises Exchange servers. Exchange Online is not affected. This belief is based on observed victimology, tactics, and procedures
This is the first time MSTIC is discussing Hafnium’s activity. Hafnium are a highly sophisticated and highly skilled threat actor. In the past, they targeted entities in the United States to exfiltrate information from several industries, including higher education institutions, law firms, infectious disease researchers, defense contractors, policy think tanks, and NGOs.
According to their blog post, this is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity they disclosed has targeted healthcare organizations fighting Covid-19, political campaigns, and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.
While Microsoft currently believes these vulnerabilities were exploited primarily by Hafnium, the public disclosure of the vulnerabilities means other threat actors will also begin targeting them. Coalition is sharing this information with you to highlight the critical nature of these vulnerabilities and the importance of patching all affected systems immediately.
These patches will help protect against these exploits, and maintaining up-to-date software is an absolute must to help reduce the risk of future attacks.
Email servers contain a wealth of valuable information regarding your company’s structure and operations and may even contain highly sensitive information. While email is not a secure communications medium and should never be used to transmit sensitive information like healthcare or financial data, it is not unusual for internal emails to contain such data.
Moreover, these four software vulnerabilities allow an attacker to install software on an Exchange server, which could be used to achieve any number of malicious objectives. Although email servers are usually placed in a demilitarized zone (DMZ) network, they can be used as a conduit to access internal networks. An attacker might also install malware to bypass email security like encryption; messages are encrypted when they leave the email server. So malware would be able to observe and possibly steal that data before it is protected.
Checking the version of Exchange is the first step to identify how this impacts you. All recent versions of Exchange Server are vulnerable, including the 2013, 2016, and 2019 (latest) versions. Exchange 2010 is partially affected — only one of the four vulnerabilities is present, but Microsoft has still issued a patch to address it. You can look for more details of the specific vulnerabilities by reviewing the vulnerability disclosures and patch detail pages:
Based on our threat intelligence scanning, we detected multiple customers who have an on-premises Microsoft Exchange Server that could be vulnerable to this recently-discovered set of flaws. They have been notified and given details on how to address the issue. Coalition’s threat intelligence also confirms attackers are actively seeking out and targeting vulnerable organizations, so applying patches is a critically time-sensitive priority.
Microsoft has also released tools to search for Indicators of Compromise (IOCs). If your organization is running an on-premises Exchange Server, we strongly recommend using those tools or other security scanning tools to detect compromised servers.
Patches are available and need to be installed immediately if you are running an affected version of Exchange. Links to patches are available from Microsoft. If you are not responsible for your organization's IT, please share this notice with the appropriate personnel responsible for administering Exchange. If the patches have already been applied, no further action is necessary! Below are the specific actions we recommend:
If you have questions or concerns regarding your Exchange infrastructure, contact us. If you are a Coalition customer and believe this vulnerability has been exploited in your organization, please call Coalition claims toll-free at +1 833.866.1337.