In a statement posted on the 2 March 2021, Microsoft shared information about a ‘state-sponsored threat actor’ that was identified by their Intelligence Centre (MSTIC), that they named ‘Hafnium’.
Microsoft are urging customers to upgrade their Exchange environments to the latest supported version to protect themselves against this cyber threat.
The cyber criminals behind Hafnium are targeting servers that haven’t got the latest security patches installed. Keeping your computers and servers up to date with patches is an inexpensive but very important step to include in your cyber security strategy.
What is Happening
According to Bloomberg, an estimated 60,000 businesses have been compromised under this attack, victims are not restricted to one type of business either. So far, we have seen thousands of companies targeted including, small hotels, an ice cream company, The European Banking Authority, and many individuals targeted.
According to Microsoft, Hafnium has recently engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. These exploits are discussed in details by MSTIC.
The attacks include three steps:
1. Gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
2. Create what’s called a web shell to control the compromised server remotely.
3. Use that remote access – run from private servers – to steal data from an organisation’s network.
What are Microsoft Doing About It?
Microsoft are urging customers to install their latest security updates, that will protect customers running Exchange Server.
It is important to note that if you have been compromised already these updates will not fix the issue.
How Do I Know if My Server Has Been Compromised?
If you are running an on premise Microsoft Exchange Server, you should operate under the assumption that you have been compromised. Patch your servers immediately, validate the patch externally then search for the presence of the web shells and other indicators listed on Microsoft’s support page.
If you are concerned that your business has been compromised or would like to ensure you are protected against Hafnium, get in touch, we have a team of cyber security experts who can help.