• Digital Forensics and Incident Hotline: (405)562-9945

  • Hafnium Exchange Server Attacks

  • Hafnium is a threat actor group actively targeting Exchange Servers with Outlook Web Access (also known as “OWA”) available from the Internet. The underlying problem is due to what’s called zero day exploits in Microsoft Exchange. These exploits allow the Hafnium threat actors to gain access to and control the Exchange Servers.

    The attack doesn’t stop there. Once the threat actors have access to the Exchange server they can start moving laterally throughout the network, compromise other systems, and exfiltrate data that’s valuable to the organization and the attackers.

    The latest reports indicate at least 30,000 organizations have been compromised, but that figure is suspected to be really low.

    Web Shells

    If you’ve read anything about the attack you might have seen that web shells were being used to gain access to the Exchange Servers, but what exactly are web shells?

    A web sell is code that is accessed like a web page that makes a connection back to the attacker and then gives the attacker a command line on the victim’s Exchange Server. What’s currently being observed is multiple threat actors are compromising the same servers. Imagine someone breaking into your house and then three to four more burglars coming in as well, all with differing agendas.

    Some of these threat actors are after research data and intellectual property while others are staging a ransomware attack against the victim organizations.

    If your organization has an Exchange Server and Outlook Web Access is configured to allow access from the Internet, assume you are breached and start incident response activities now. Patching the vulnerability isn’t enough and it won’t get the threat actors out of your network once they have a foothold.

    Hafnium and Other Threat Actors

    These types of attacks are nothing new and we’ve seen a lot of similar attacks over the past 12 months affecting a large number of organizations. Unfortunately the media is playing into this using terms like “Cyber War” and “Cyber Pearl Harbor”.

    It’s difficult to define what does and does not constitute and act of war from a cyber perspective and our governments needs to take a step back and determine where our cyber boundaries are as a country. At most I would label this a intelligence gathering or spying and not an act of war.

    The motives behind these attacks are typically financial gain or competitive advantage and not the destruction of property, loss of life, or other acts of war.

    Stopping Threat Actors Like Hafnium

    Threat actors like Hafnium can be stopped before they gain access to the internal network. This requires a robust logging, monitoring, alerting, and a formal information security program with the highly trained staff to manage it. There’s no silver bullet for this problem. Security vendors touting that their “AI” solution will stop all attackers like this are wrong. dead wrong. What detects and stops attackers are humans looking at the data and adding context to it. Threat actors are very good at blending it and looking like normal traffic. You need trained eye that understand what normal activity looks like and when abnormal events indicate something more malicous.