Microsoft Servers Hit By A Cyber Attack In March 2021

2nd March 2021, Microsoft announced a new Nation-State Cyber Attack has been identified by the

(MTIC). This attack was targeted to on-premises Exchange Server software using previously undiscovered vulnerabilities. MTIC called HAFNIUM a cyber espionage group was responsible for this attack.

Microsoft also released 4 new zero-day vulnerabilities that have been used with this cyber attack. CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065 along with security patch and technical guideline noticing the ongoing active exploitation of these vulnerabilities by ATP (Advanced Persistence Threat) group HAFNIUM. According to Microsoft HAFNIUM is a Chinese government-backed hacking group, operating out of China, based on observed victimology, tactics and procedures.

Microsoft is providing all the support with the new updates and sharing the information with their customers and the security community to urgently prioritise these vulnerabilities due to nature and the tactics that have been used in this attack to prevent any future attacks.

Who is the HAFINUM Group?

According to Microsoft HAFNIUM is a Chinese government-backed hacking group, operating out of China, based on observed victimology, tactics, and procedures. HAFNIUM is a sophisticated Chinese hacking group that has long-run cyber-espionage campaigns against the United States and, targeting law firms, NGOs, defense contractors and higher education institutes to exfiltrate data.

What makes this attack so dangerous to unpatched Servers?

Although this attack uses one of the 7 years old web shell tactics called 'China Chopper Web Shell' which was first identified back in 2013 by FireEye, to run its malicious shellcode to gain access to the backdoor of the system, this attack was still undetected. Due to the nature and technique of this attack, it was very difficult to detect this attack by any anti-malware solutions. Because of its persistence and new 4 vulnerabilities that Microsoft has identified used in this attack, are still not fully patched, they only provide the mitigation and workaround to protect against the exploit.

Furthermore, after 10 days of announcing information about this attack and partially release the patches, on the 12th of March Microsoft also informed the community that they have detected and blocking a new variant of the ransomware called 'DearCry' that has been compromising the unpatched Exchange Servers, taking advantage of the identified vulnerabilities.

How can you find out if my Microsoft Exchange Servers are compromised or not?

As, there is still not a permanent solution yet, but Microsoft and the researcher have been working hard to identify the solution. This is not just a single vulnerability that can easily be patched. It uses multiple vulnerabilities and different techniques which are difficult to detect by any signature-based Anti-Malware solutions. In addition to that, because this vulnerability is being exploited for the past few weeks, there is already a high chance that your Exchange servers might already have compromised with a backdoor if you have not verified and patched your Exchange Servers. Please also note that if you are using Exchange Online then it is not affected by this vulnerability.

What can you do to prevent this vulnerability to your organisation?

• Microsoft has also published an article on how to Scan Exchange log files for indicators of compromise with specific details. Where you can also download the IOCs and Hashes of this attack. (Please deploy these latest IOCs to your defenses as soon as possible)
• If possible minimize the traffic on your servers and run the Microsoft Safety Scanner tool that is provided by Microsoft to scan for any malware activity.
• Start scanning for any anomalies, such as cmd.exe(command shell), unknown connection to random or same IPs every 40-60 mins or Powershell executed in the last 2-3 Months.
• Go through the article published by the PaloAlto research team that provides a very good explanation of the steps that you can perform to mitigate this vulnerability.

I hope that helps. If you need any further information or assistance get in touch with us at hello@techforce.co.uk