The attacks on Microsoft Exchange servers around the world by Chinese state-sponsored threat group Hafnium are believed to have affected over 21,000 organizations. The impact of these attacks is growing as the four zero-day vulnerabilities are getting picked up by new threat actors.
While the world was introduced to these critical vulnerabilities on March 2nd when Microsoft released security updates and mitigation guidance, the first known exploitation of this vulnerability occurred in early January. Although applying Microsoft’s advised updates protects organizations from continued or future exploitation of these known vulnerabilities, they don’t mitigate any compromises that have already happened. And because these Exchange vulnerabilities are exposed to the internet, cybercriminals continue to voraciously seek out unpatched systems to attack at unprecedented scale.
I recently had the opportunity to speak with Alan Sugano, president of ADS Consulting Group, about the Hafnium attacks for an episode of the HIP Podcast. Through his work with ADS Consulting Group, a supporting organization for many small to midsized companies with deep knowledge of Microsoft Exchange, Alan is intimately involved with patching and mitigation efforts related to the Hafnium attacks. When I spoke with Alan, we discussed what exactly the Hafnium attacks are and how they provide unauthorized access to critical systems like Active Directory (AD), as well as actionable guidance on how enterprises can defend against these attacks.
How do the Hafnium attacks work?
The Hafnium attacks are largely automated attacks that seek unpatched Exchange Servers based on the current information we have right now. By taking advantage of four zero-day vulnerabilities, the attackers are able to conduct remote searches for Exchange Servers that are exposed to the internet to gain access to any Exchange Server through Outlook Web Access (OWA). They then create a web shell to control the compromised server remotely to steal an organization’s data and gain unauthorized access to critical systems like AD. By targeting AD, cybercriminals can elevate privileges and move laterally to other systems and environments.
How can an organization confirm if it has been hacked?
One of the biggest indicators of compromise (IOCs) is the presence of an ASPX file that doesn’t look like it should be there. Organizations can look for these web shell files by checking this path C:\inetpub\wwwroot\aspnet_client\system_web. Microsoft also released various PowerShell scripts for organizations to run a check for Hafnium IOCs across different folders, as well as what file names to look for.
Once the ASPX file is there, it doesn’t matter if an organization has patched its server. If the ASPX file is there, it means that the web shell has already been installed and that an attacker has access to vulnerable systems.
What steps should organizations take to check whether they’ve been compromised?
Organizations can be hit with multiple variants of Hafnium, and it’s possible that new variants have already been created that would cause the web shell to appear in a different folder that is not listed in Microsoft’s PowerShell scripts. For this reason, the recommended course of action is to download the Microsoft Safety Scanner. This will run a full scan against an organization’s Exchange Server and will spot web shells that commercial antivirus software is simply unable to pick up. Relying on traditional antivirus software will only give your organization a false sense of security while leaving it vulnerable.
It’s important to note that during the actual scan, the Microsoft Safety Scanner may pick up “infected files.” It sounds scary, but it may just be a portion of a file that matches one of the patterns the scanner is searching for. To know for certain whether or not your organization has been compromised, you will need to review the full results after the index scan is complete. While the Safety Scanner will automatically delete any infected files, it’s a best practice to run the full scan again after rebooting the Exchange Server to ensure there are no missed files.
What remediation steps should a compromised organization take?
If Microsoft Security Scanner finds a web shell, that organization should also check ScheduledTasks to ensure there are no scheduled tasks that run VSPerfMon, which opens backdoors that maintain persistent access to the compromised Exchange Servers. To do this, open up a command prompt on Exchange Server and run Schtasks.exe. Another potential backdoor is the presence of an image path key to an Opera Browser, which attackers use as a method for launching a remote access trojan to enable administrative control. Before removing any backdoors, organizations will want to block OWA access to prevent attackers from dropping in another backdoor throughout the remediation process.
In addition, any incursion into an organization’s network inevitably leads to AD because doing so provides attackers with access to privileged credentials. This means that if AD is compromised, an organization’s entire environment is compromised. Scanning systems for both IOCs and IOEs (indicators of exposure) is a critical step to strengthen AD security. One thing that can help, and I highly recommend security professionals take advantage of, is Purple Knight, a free security assessment tool that was designed to scan AD for 59 different IOEs and IOCs in seconds. Semperis also recently enhanced Directory Services Protector (DSP) v3.5, which enables organizations to continuously monitor AD for pre-and post-attack security indicators and uncover dangerous vulnerabilities.
Finally, it’s important that security teams make a conscious effort to stay updated on news related to Hafnium and Exchange Server, especially any new discoveries around vulnerabilities. The TRUESEC blog and Huntress blog are great sources of information.
The access that can be achieved by exploiting the vulnerabilities are significant. By acting quickly to remove web shells and any other backdoors, organizations can potentially safeguard their data before attackers have a chance to start data mining compromised servers.