FIrst, A Word from Our CEO: What TRUE Teams Have Been Doing to Help Those Affected by This Attack
I’d like to take a moment to recognize the exemplary work of our Security, Engineering, and Compliance teams–including the author of this blog– who have supported TRUE’s clients around the clock in recent weeks to help them mitigate risks related to the recent Microsoft Exchange vulnerability and cyberattack.
When this vulnerability first appeared in TRUE’s Security Operations Center threat feeds, our Security Operations Center, Network Operations Center, and Incident Response teams went into immediate action. Not only did they initiate specific proactive threat hunting investigations into the environments of our own managed clients as part of what we provide for them, but TrueIR took on a number of external Hafnium-related incident response cases. From that perspective, they have been able to uncover nefarious activities associated with this attack and apply that knowledge to threat hunting in other clients’ environments. In turn, our Risk Advisory team has supported clients in closing gaps in their security programs that can help them mitigate such risks going forward.
Therein lies the advantage of the phenomenal teams and technologies that our NOC, SOC, and IR services represent. They aren’t relying on anyone else to tell them what to look for. They are first on the scene, sharing information, collaborating, approaching the environment as a whole, rather than looking at just one component. Each team has specialized expertise, and together, they share knowledge and insight that our clients rely on us to have when protecting their valuable assets.
TRUE’s teams aren’t outsourcing SOC services on the back end as many MSPs and MSSPs do these days to fill in mindshare gaps they may not be able to hire at the moment. TRUE’s experts have first-hand knowledge and represent highly specialized, certified mindshare. The best in breed technology and service stacks they have built, their deep bench of experts– this is all part of the benefit our clients gain when they choose to trust TRUE with all or part of their IT, security, or compliance needs.
With that, let’s get to the reason you’re here. Senior Security Consultant Randy Griffith not only has first-hand experience helping scores of clients build their own security programs, but he has years of experience in auditing client environments to help them identify and remediate gaps. From that perspective, he has curated and supplemented the best of what’s out there for you on the Exchange hack– what the problem is and what you can do about it.
Rory Sanchez, CEO
The Microsoft Exchange Server Exploit: What it is, How to Identify it, and What You Can Do if You’ve Been Affected
There has been a flood of articles and directives coming from the most recent Microsoft Exchange Server exploits. To help you navigate advice on what steps are most important for you to take, I have endeavored here to assemble the key links and details you will need to know to help you–
- understand the overview of this attack
- determine your risk of compromise
- assess your vulnerabilities
- test your systems for this specific vulnerability, and
- patch your systems to address the flaws
- and/or review for any other exposures left behind, such as Webshells that might have been installed after an initial compromise.
Know that at any point, if you would like to speak with someone at TRUE about one-time consultative support or an ongoing vulnerability management service like TrueMVP, we are available to help you. In the meantime, we hope this adds some context to the situation and helps you determine whether or not you have been affected.
Summary of What Happened
During the week of March 1, 2021 the US Cybersecurity and Infrastructure Security Agency (CISA) and other related security watchdog groups determined that a series of Zero Day vulnerabilities in Microsoft Exchange Servers were being exploited by a suspected state-sponsored advanced persistent threat (APT) group from China called Hafnium. These exploits and vulnerabilities are currently known to go back at least to September 1, 2020 and any environments found to be vulnerable have been advised to go back to at least September 1, 2020 to review their logs for indicators of compromise (IOC). To date, CISA has noted that government entities, retailers and higher education organizations are the first identified to have been affected, but exploits will not be limited to those environments.
Who is Being Targeted
To date, more than 30,000 companies in the US and 100,000 worldwide are expected to have been compromised by the Microsoft Exchange exploit and its related vulnerabilities. We have confirmed with TRUE’s incident response and SIEM teams in our 24/7 Security Operations Center, as well as through external research, that many small and mid-size companies may be those most likely to be targeted by this exploit.
Why Midmarket and Small Businesses?
Smaller and mid-size companies are often operating lean teams, competing with their enterprise competitors by keeping operating costs down. Because of that mindset, they sometimes underinvest in the resources needed to protect their business assets. Therefore, as attackers recognize, these organizations tend to be more likely to have deficiencies in vulnerability and patch management and the have the fewest= resources assigned to monitor their environment and detect a compromise in a timely manner. If someone is assigned to review logs, for example, they are likely only doing that during business hours, rather than at night and on weekends, as well. For this reason, stealth attacks are commonly leveled during off-hours, so attackers can get into systems, navigate, and sometimes even cover their tracks before anyone notices. In this instance, attackers seemed to have leveraged these typical weaknesses in both internal control processes and related resource limitations for detection and monitoring, to exploit as many companies as possible before organizations catch on and address their gaps and vulnerabilities.
“Hafnium mainly target US entities in infectious disease research, law firms, higher education institutions, defense contractors, policy thinktanks, and NGOs, according to Microsoft. The group also primarily operates from leased virtual private servers (VPS) in the United States” (Source: Microsoft: These Exchange Server zero-day flaws are being used by hackers, so update now | ZDNet)
The flaws affected the following environments:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
- Exchange Online is not affected.
Flaws Identified and How to Know if You Have Been Compromised
The attackers used the bugs in on-premises Exchange servers to access email accounts of users. The four bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
“This is the real deal,” Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, said on Twitter, referring to the attacks on on-premises Exchange, which is also known as Outlook Web Access. “If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.”
A good summary of how to determine if you have been compromised can be found at: Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack | Ars Technica
Even After Patching, You May Not Be In the Clear Yet
“Tens of thousands of Exchange servers had been compromised with a webshell, which hackers install once they’ve gained access to a server. The software allows attackers to enter administrative commands through a terminal Window that’s accessed through a web browser.
Researchers have been careful to note that simply installing the patches Microsoft issued in Tuesday’s emergency release would do nothing to disinfect servers that have already been backdoored. The webshells and any other malicious software that have been installed will persist until it is actively removed, ideally by completely rebuilding the server.
People who administer Exchange servers in their networks should drop whatever they’re doing right now and carefully inspect their machines for signs of compromise. Microsoft has listed indicators of compromise here. Admins can also use this script from Microsoft to test if their environments are affected.”
Exposure and Impact of Flaws
"Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network," the agency says.
CISA believes the vulnerabilities present an "unacceptable risk to Federal Civilian Executive Branch agencies," and so action is now required.
Government Agency response:
The emergency directive has stipulated that agencies must begin triaging their network activity, system memory, logs, Windows event logs, and registry records to find any indicators of suspicious behavior.
If there are no indicators of compromise (IoCs), patches need to be immediately applied to Microsoft Exchange builds. However, if any activity is of note, US departments must immediately disconnect their Microsoft Exchange on-premises servers and report their findings to CISA for further investigation.
"This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action," the agency added. (Source: CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now | ZDNet)
Private Company Exposure and Response
Links to current tools to test for vulnerability:
- Tool to see if you are vulnerable as well as mitigation techniques and procedures:
- Microsoft Exchange Server team script on Github to test for vulnerability:
Microsoft continues to add to their knowledge and their mitigation guidance on the subject. Their updates can be found at: HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security
Some early indications are that small and mid-size companies may be at the most risk for this exploit due to the differing levels of diligence in patching systems. It is believed that hackers will assume small and midsize companies will be less likely to keep patches up to date and would be less likely to identify a breach.
“The Hafnium attackers deployed "web shells" on compromised Exchange servers for the purpose of stealing data and installing more malware. Web shells are small scripts that provide a basic interface for remote access to a compromised system.
According to Brian Krebs, author of Krebsonsecurity, the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organizations in the US (100,000 worldwide) have been hacked as part of this campaign.” (Source: ZDnet)
As outlined above,
- Once it is determined with the available online tools as to whether an environment is at risk and logs have been reviewed,
- Patches should be applied at the earliest possible time to address the flaws discussed, and
- Review the risk of Web Shells as outlined above for any on-going compromise risks.
If you have outsourced any part of your IT environment, you might review the certifications and capabilities of your provider(s). If you are not comfortable that they are able to fully handle incidents in a US-based SOC, as well as provide expert governance, risk, and compliance (GRC) consultation to walk you through risk mitigation, you can always reach out to get an objective review of security validations from a certified security and compliance auditor. If you need help with an incident or risk mitigation, feel free to request a consultation from TRUE’s experts at any time. We are here to help.
Original CISA Alert (Also tracking updates to directive):
CISA Emergency Directive:
The Zero Day flaws that are directly related to compromises:
Tool to see if you are vulnerable and mitigation techniques and procedures:
Microsoft Exchange Server team script on Github to test for vulnerability: