With the massive SolarWinds hack still in recent memory, another titan of industry has fallen victim to a predatory campaign. Microsoft and its clients are in dire straits, reeling from an attack attributed to the Chinese state-sponsored group Hafnium. Up to 60,000 business and personal accounts have been infiltrated through Microsoft Exchange vulnerabilities, and hackers are taking advantage of two particular zero-day exploits to meet their goals.
Akin to the SolarWinds fiasco, the Hafnium offensive is permeating both the private and public sectors. Both recent hacks are baffling security professionals, as the methodology employed defies standard and up-to-date protection measures. Microsoft had made concessions, reporting it had awareness of potential deficiencies in early January. The company was appraised of the SolarWinds attack by pure happenstance; an employee at FireEye noticed the patterns prompting further investigation.
Hafnium is today’s bogeyman, but experts claim at least five other hacking factions are actively working to infiltrate through the similar Exchange Server flaws. The CVE weaknesses create an optimal window for unauthenticated remote code input in Exchange Server devices via web shells. These shells indicate plans for persistent pursuit of phony security clearances and continued data exfiltration. The danger is tenfold given that Exchange Server activity has been increasingly shifting to online publication for want of flexibility in remote and from-home work situations.
Microsoft’s Detection and Response Team (DART) released a detailed document on March 16 meant to guide victims through the recovery process. Among its recommendations is immediate application for March 2021 exchange server security updates, which can prevent further attacks, but unfortunately won’t affect pre-existing server squatters. A temporary measure, blockading inbound connections made over port 443, will at least disengage the Exchange Server from the public internet to mitigate risk.
Microsoft’s Defender for Endpoint anti-malware program is also helping to clean up the mess. Servers already onboarded to Defender have access to the threat analytics software in the Microsoft 365 security center. The analysis of a hacking campaign’s refractory period, made possible by Defender, helps systems to stand firm under the pressure of possibly modified infiltration strategies. However, the malware installed is apparently designed to allow hackers reentry at their will.
Defender has not been completely outfoxed by the Hafnium hack—specific lines of attack set off red flags for the program. A key component of the server hack, the exploitation of a CVE-20221-27065 post-authentication file-write vulnerability generating false clearances and privileges when paired with CVE-2021-26855 manipulation, was put to a halt by Defender.
Defender for Endpoint will be available for public access as part of a 90-day trial to bolster the efforts of on-site Exchange Server clients in executing security diagnostics and restoring the status quo.
