What Exchange Server ‘HAFNIUM’ attacks mean to you

Microsoft Exchange Server software has been comprehensively hacked over the last few months, focusing on US systems but spreading across the world.  What happened, who needs to act now and what everyone should watch out for.

Exchange Server is the mailbox technology used by many, many companies around the world. Most public and private organizations use Exchange Server in some form.

First, some good news …

Microsoft 365 hosting, including Outlook.com is OK, according to Microsoft.

The attacks targeted Exchange Server systems run by organizations themselves called ‘on-premises’ servers as opposed to cloud or Microsoft hosted.

That doesn’t absolve Microsoft of responsibility, the security breaches are in their software.

What happened?

Hackers, seemingly Chinese based, took advantage of four different security lapses in Microsoft’s Exchange Server product.  They used these security holes to gain full access to all mailboxes on a server.

Once they gained access, the criminals installed ‘web shells’ so they can get into the system whenever they like, even if the original security problems are patched.

This has been happening since early January!

The criminals used their access to copy entire mailboxes or organizations. With the ‘web shells’ they can add other nasties to a syste,

Microsoft has published information for network administrators.  In short, the Exchange Server system must be patched (to prevent infiltration) and the system carefully scanned for signs that it’s already been hacked before the patches were installed.

Update: Microsoft has released patches for older Exchange Server versions that are out of support. Specifically Exchange Server 2019 CU 3; Exchange Server 2016 CU 17, CU 13, CU12; and Exchange Server 2013 CU 22, CU 21.  You know a security problem is serious when Microsoft issues patches for older expired products.

Only Outlook Web Access OWA?

OWA is the web-based way to access your mailbox via a web browser.

The hackers can use Outlook Web Access/App to infiltrate a system but that doesn’t mean OWA is risky for individual users.

Scary headlines about ‘Microsoft Outlook’ being hacked are flat-out wrong.  Outlook for Windows/Mac had security problems in the past and will again, but this isn’t one of them.

Concerns for individual users

If you have a mailbox with an ‘on-premises’ Exchange Server, there’s nothing you have to do. This is mostly a server security problem for network administrators to fix.

There’s an increased risk of infected document or phishing emails.  The hackers could try to further break into an organization by sending bogus documents or emails with fake links from sincere and usually trusted ‘in-house’ mail accounts.

As always, be wary of incoming messages, even from known people/accounts.

How many affected systems?

KrebsonSecurity estimates that over 30,000 Exchange Server systems could be affected, but that appears to be for the US only.  The total number of vulnerable systems is much higher.

Keep in mind this is counting the number of servers affected, not people or their devices. Each of the “30,000” can have hundreds or thousands of users connected to the server, with who-knows how many computers and devices.

Little wonder the US Department of Homeland Security is concerned enough to issue an emergency warning.

Government agencies from police and fire departments, schools, non-profits through to large private organizations like banks.

While most of the focus has been on American organizations, any Exchange Server hosted system is vulnerable, anywhere in the world.

The Microsoft Advantage?

Don’t be surprised if Microsoft uses these attacks to further push customers to cloud-based hosting.

Affected customers should be asking Microsoft why their systems were left vulnerable while Microsoft’s own Exchange Server hosting wasn’t affected?  It appears that customers who have stuck with ‘on-premises’ hosting have been given second-class treatment. We’re not suggesting there was malicious delay by Microsoft, but it’s hard to understand how it took two months for the company to act.

More Info …

Volexity did the early running on this problem.

Microsoft published HAFNIUM targeting Exchange Servers with 0-day exploits on 2 March 2021.  It includes a script for admins to check their systems for traces of post-hacking activity, however those checks won’t be complete.