In early March 2021, Microsoft reported a large-scale coordinated attack exploiting critical vulnerabilities in Exchange Server 2010, 2013, 2016 and 2019. The attack was intended to exfiltrate credentials and other sensitive data from corporate mailboxes. Microsoft attributed the attack to a sophisticated Chinese group codenamed HAFNIUM. The first detected attempts date back to January 2021. Since then, other actors have moved to use these vulnerabilities to conduct similar large-scale attacks across a wide range of industries, including infectious disease research organizations, law firms, higher education institutions, defense contractors, political think tanks and NGOs.
How do these attacks work?
Exchange Server vulnerabilities allow attackers to deploy shell code (or “web shell”, a type of remotely accessible backdoor) posing as the highly privileged SYSTEM user. With these backdoors, hackers can execute commands on the system even after the vulnerabilities have been fixed. This allows them to compromise data and credentials, or even deploy ransomware or other malware.
What is the best method for updating Exchange Server?
We recommend you to read Microsoft blog post about the attack and to download and apply the latest cumulative update as soon as possible.
If you cannot do this immediately, we recommend that you run this One-click mitigation tool from Microsoft to temporarily protect you from known attacks that exploit Exchange Server vulnerabilities.
How do you determine if your Exchange servers have been compromised?
Microsoft maintains a list of system integrity indicators and investigative steps on its blog, accessible via the page “Protecting On-Premises Exchange Servers from Recent Attacks”. Use this information to perform a thorough assessment of your Exchange Server. If you detect signs of operational back doors, we urge you to engage an incident response provider to assess the extent of the system breach and potential exposure of other resources
If you use Netwrix Auditor for Exchange, you can easily detect suspicious data exports from mailboxes and other unusual activity on your Exchange servers, which may be a sign that they have been compromised.
Step 1: Check if data has been exported from mailboxes.
Perform an interactive search with the following filters:
- Who filter: NT AUTHORITYSYSTEM.
- Object Type” filter: Mailbox Export Request
Any mailbox export request by NT AUTHORITYSYSTEM is suspicious and should be investigated. Hopefully what you will find is not like the screenshot below, which shows that several important mailboxes, including the CEO’s, have been exported.
Step 2: Check for other suspicious activity on your Exchange Server.
HAFNIUM attacks are not limited to stealing data from mailboxes. Once the bad guys get in, they can do whatever they want on your Exchange Server, including compromising other credentials to move around your environment at will. Therefore, we recommend that you review all SYSTEM account activity since January 2021.
Perform a new interactive search with the following filters:
- Who filter: NT AUTHORITYSYSTEM.
- Data Source” filter: Exchange
- When filter: Date Range, from 1erJanuary to present.
Look for any habitual activity that might indicate a system breach or sabotage, including changes to mailbox delegations and permissions, changes to role groups, non-owner mailbox access events, mailbox deletions, or changes to the Exchange database. Quickly investigate any suspicious events.
What else can you do to protect your organization?
We recommend that you set up alerts for mailbox export requests and any other suspicious activity regarding Exchange Server. Remember that even if you have installed the latest Exchange Server updates, hackers will still be able to use the backdoors they created before these updates.
Every time you perform a search with Netwrix Auditor, you can create an alert based on that search in just two clicks:
- Open the “Tools” menu.
- Click on “Create Alert”.
Latest recommendations
Keep in mind that threats continue to evolve: other criminals are actively exploiting unpatched servers to steal data and spread ransomware. So stay alert to any suspicious activity on your Server.
