30,000 Businesses Affected by Hafnium Attack

Microsoft email software from small businesses, towns, local governments and cities were accessed by a Chinese cyber-espionage unit.

March 10, 2021

Computer That Has Been Hacked

SEATTLE—This week, at least 30,000 U.S. small businesses, local governments, cities and towns had their email hacked by a Chinese cyber-espionage unit through four newly uncovered flaws in Microsoft Exchange Server email software. During the attacks, criminals “seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems,” according to KrebsOnSecurity.com.

“We are seeing the effects already within the petroleum sector of the current Microsoft Exchange zero-day vulnerabilities that recently came to light. These vulnerabilities are commonly referred to in the press as the Hafnium Attack,” Mark Carl, chief security officer for PDI, shared with NACS Daily, adding, “These vulnerabilities were in the hands of attackers for nearly two months before patches were available. The U.S. National Security Council (NSC) recommends that any organization that identifies these vulnerabilities in their environment immediately begin remediation to see if they are already compromised, and to patch servers to prevent further risks."

Microsoft reported that in the attacks observed, “the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

The vulnerabilities being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server.

Rick Bos, senior security architect at W. Capra Consulting Group, told NACS Daily that the Hafnium attack ”quickly escalated from initial discovery to tens of thousands of companies in less than two months. “Unfortunately, this is the new reality with the state-sponsored actors that are behind these attacks. They are well organized, well-funded and aggressive. This makes it even more imperative that every organization have a proactive defense against cyberattacks, including systems for detecting attacks, the ability to patch systems quickly, and incident response plans that are regularly exercised.”

Brett Stewart, chief technology officer for Acumera Inc., commented that incidents like this “underscore the need for a modern approach to cybersecurity management. Just having a firewall and automated daily software patching isn't good enough. If you operate your own Microsoft Exchange server and it was exposed to the Internet, it's very likely compromised. Merchants should look for security partners with a platform approach, who can help them monitor for threats across multiple layers of their digital estate,” he told NACS Daily.

To protect against future attacks, Sam Pfanstiel, director security consulting services for Viking Cloud, a Sysnet company, recommended developing a “a defense-in-depth strategy, including using intrusion-detection systems to monitor and alert for unusual activity, network segmentation to limit exposure, and data-loss prevention systems to limit the impact of such an attack.”

Also, apply the patches to address the underlying vulnerabilities exploited in these attacks, in addition to “monitoring vendor updates and security news sources to quickly test and install these critical security updates,” said Pfanstiel, adding that whether or not your organization was affected by the Hafnium attack, this latest episode is a prescient reminder to have real-world incident response plans in place with  up-to-date risk assessments so teams can  quickly respond to limit exposure, notify affected parties and mitigate the impacts of lost data. “In this case, the potential loss of troves of emails and organizational data, cached authentication information, and the further abuse of this sensitive data in future attacks,” he told NACS Daily.

“The latest Microsoft vulnerabilities require your organization to be running on-premise Exchange and related remote access services to be vulnerable,” Scott Cheek, vice president of business development for SageNet, shared with NACS Daily. “The good news is many of us have transitioned to O365. The bad news is if you are running Exchange with related remote access services, you are likely compromised. Patching has never been more important than right now. An investigation should immediately follow patching to identify if there are indicators of compromise. … If your organization has been found to be compromised, a full incident response effort should follow.”

Not a NACS Magazine or NACS Daily subscriber? Subscribe to NACS Magazine in a print and/or digital format to read the latest insights from industry thought leaders each month. Subscribe to NACS Daily to receive a roundup of industry news and trends in your inbox each weekday.