News

Microsoft and Security Researchers Describe Tips and Tools for Detecting Exchange Server Hafnium Attacks

• By Kurt Mackie
• 03/08/2021

Microsoft last week updated its recommendations to organizations running Exchange Server, targeted in Hafnium nation-state attacks, by describing some new resources.

There's now an updated PowerShell script released for detecting indicators of compromise. In addition, Microsoft offered some mitigations steps for organizations to take when they can't patch their systems quickly. The U.S. Cybersecurity and Infrastructure Security Agency noted the addition of these resources in a March 6 announcement.

Microsoft had issued out-of-band patches last week to block multiple zero-day vulnerabilities in Exchange Server 2010, 2013, 2016 and 2019 products, which are currently under active exploit. Microsoft identified the attackers as the Hafnium espionage group, affiliated with China. The activities of this group were detected as early as January by security investigators at Dubex and Volexity.

Security solutions firm Huntress, which has found Webshells associated with the Hafnium attacks, suggested that users of Exchange Servers should "assume you've been hit" and not trust a dashboard view of their security posture. All "preventive products" had allowed these Webshells to get installed, Huntress indicated.

"We recommend you not only patch immediately, but externally validate the patch and hunt for the presence of these webshells and other indicators of compromise," a Huntress blog post advised.

Hybrid Environments Subject to Attack
The Hafnium attacks are just affecting users of Exchange Server products. They don't affect subscribers to the Exchange Online service. However, organizations using hybrid identity solutions likely are subject to these exploits, as well, because they need to run one Exchange Server for management purposes, explained Steve Goodman, a Microsoft Most Valuable Professional.

"As almost every Exchange Online admin knows, perhaps the biggest annoyance is that if you are running Azure AD Connect -- and therefore run Hybrid Identity then you need to run at least one Exchange Server on-premises for management of aspects like proxy addresses," Goodman explained in a March 5 Practical365.com post.

Organizations using the Outlook Web App (OWA) with Exchange Server should check for the creation of new files in Internet-facing directories, according to Kevin Beaumont, a security researcher at Microsoft, in a March 3 Twitter post:

If you have Exchange OWA presented to internet, I strongly suggest you look for new files created in: C:\inetpub\wwwroot\aspnet_client\ C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ Example files created in past week: supp0rt.aspx, discover.aspx

Beaumont also recommended running Microsoft's PowerShell script to check for indicators of compromise, as well as "manually checking for newly created .aspx files."

There is a "known issue" when manually applying Microsoft's security patches for Exchange Server products that could cause Outlook on the Web and the Exchange Control Panel to stop working, Beaumont also noted, as described in a Microsoft support article.

Broad Attack
The Hafnium attack seems to be a big one. Reuters last week reported 20,000 compromised U.S. organizations. Security writer Brian Krebs in a KrebsonSecurity post put the total "at least 30,000."

U.S. authorities have been checking for "potential compromises of U.S. think tanks and defense industrial base entities," according to a March 4 Twitter post by Jake Sullivan, a White House National Security advisor.

On March 7, the European Banking Authority explained that it was "the subject of a cyber-attack against its Microsoft Exchange Servers," although it later indicated in an update that "no data extraction has been performed." 

The Hafnium attacks apparently are broad, rather than being narrowly targeted. Software security firm FireEye found a rather disparate list of victims based on its "telemetry" information, according to a March 4 post:

Based on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. Microsoft reported the exploitation occurred together and is linked to a single group of actors tracked as "HAFNIUM", a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.

FireEye, like Huntress, also observed Webshell activity associated with the Exchange Server attacks "beginning in January 2021." The shells specifically tried to detect antimalware solutions, such as agents from FireEye, CarbonBlack and CrowdStrike, FireEye indicated.

More tips can be found in FireEye's March 4 post. FireEye recommended checking for Windows system child processes on Exchange Servers, among many other approaches. Ideally, organizations need "at least 14 days of HTTP web logs" and "at least 14 days of Exchange Control Panel (ECP) logs," along with Windows event logs to do the forensic analyses.