HAFNIUM attack – Dubex recommendations
10. marts 2021 - Dubex was part of the discovery of the vulnerabilities leading to the HAFNIUM attacks and was therefore invited to speak at the CFCS webinar held on 9 March about the attack. As part of the webinar Dubex shared immediate recommendations for handling the attack and recommendations moving forward.
The national Danish Centre for Cyber Security (CFCS) held a webinar on 9 March 2021 in the wake of the recent HAFNIUM attack, which affected Microsoft Exchange Servers globally. Dubex was invited to shed some light on the attack and the involvement in the subsequent patches that Microsoft rolled out last week.
Given the nature of these vulnerabilities and the widespread exploitation of them, if your company has not yet applied the patches then assume you have been breached and respond accordingly. Applying the patches will fix the vulnerability but will not address any compromise or additional backdoors attackers may have planted before the patches were applied.
It is important to stress that even if the system has been updated with the latest patches from Microsoft, the system might still be compromised, and it is important to check the systems for indications of compromise (IOC). Patching the Exchange servers will NOT remove the backdoors.
Lars Westergaard Birch, Security Consultant at Dubex, explains his findings in the article published on 3 March “Please leave an exploit after the beep”.
Recommendations for now
Dubex presented some recommendations because of the HAFNIUM attack, which should be applied now.
Microsoft rolled out four patches on 2 March 2021, which are critical to install. If the Exchange Servers have not been updated at this point, there is a very good chance that the installation has already been compromised since widespread automated attacks have been seen from 25 February and onwards.
Security updates should be applied to all Exchange Servers prioritising Internet-facing Exchange Servers. Patches are released for Exchange Server 2010, 2013, 2016 and 2019.
Please follow Microsoft Patch instructions: Released March 2021 Exchange Server Security Updates.
All Exchange Servers, again prioritising Internet-facing Exchange Servers, should be checked for signs of comprise.
- Scan the Exchange and IIS logfiles for known IOC
- Check hosts for IOC:
- Web shells / web shell hashes
- IOC’s in known paths and file names
- LSASS process memory dumps, etc.
Microsoft has updated Microsoft Defender with many of the known IOC’s, in addition to existing alerts. Also, Microsoft Defender has been updated to detect the web shells in the latest version of the Microsoft Safety Scanner (MSERT.EXE). Windows Defender. MSERT can be used to detect and will automatically remove the implanted web shells unless started with the /N argument. Note MSERT is not a real-time defense tool and only performs spot checks. Select the full scan option, which can take a while. Microsoft also released a PowerShell script “Test-ProxyLogin.ps1” to search for IOCs in Exchange and OWA log files, see GitHub CSS-Exchange link below.
Microsoft Safety Scanner, (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download)
Recommendations for later
The HAFNIUM attack is not the last one we will see. Recommendations for the future were therefor presented to prepare for future attacks and improve the overall robustness and resilience.
First, improving on logging and monitoring is crucial to react quickly and efficiently in the event of an attack. This includes all logs from all systems and consider implementing SSL/TLS inspections where possible to gain valuable visibility into encrypted traffic.
These are the more general recommendations:
- For on-premises Exchange setups, Outlook Web Access and Exchange Web Services should be kept inaccessible from the Internet (allow only access from LAN and VPN – or SSL VPN if clientless access is required)
- Multi-factor authentication (MFA) should be implemented for all logins (especially all external log-in/logins accessible to the Internet)
- Permission for services such as the ones on Exchange servers should be checked and reduced to the minimum required where possible (excessive permissions brings risk if configured incorrectly)
- Ensure that all service accounts have long and complex passwords
- Implement a Web Application Firewall in front of web services required to be exposed to the internet to allow blocking/filtering requests
- Firewall rules should be reviewed to check if there are policies providing excessive access to/from/between systems.
- Enforce a Windows policy where administrators have their sessions closed after a set period of inactivity. This helps prevent passwords from existing in memory for easy harvesting
- Implementing file integrity monitoring to monitor suspicious file activity
- Patch management needs to be improved – both OS and applications must be enrolled in set patching routine to ensure the latest updates and patches are applied as fast as possible
- Periodically perform vulnerability and/or penetration testing activities to be proactive about vulnerabilities and misconfigurations – both externally and internally
The following references are to some of the relevant information about the case:
- Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft: Released: March 2021 Exchange Server Security Updates
- Microsoft Safety Scanner
- FireEye: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
From the news:
- krebsonsecurity.com: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Softwar
- www.bleepingcomputer.com: Microsoft's MSERT tool now finds web shells from Exchange Server attacks
- www.zdnet.com: Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
- github.com: microsoft / CSS-Exchange
- www.wired.com: Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
- arstechnica.com: Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack
- www.scmagazine.com: Government briefed on breach of at least 30,000 Microsoft Exchange Servers