Major Cyberthreat to Exchange on Premise Servers

Posted By Remote Techs On 04-March-2021

On Tuesday, March 2, 2021, Microsoft announced that they identified new nation-state cyberattacks, named HAFNIUM, using previously unknown exploits that target vulnerabilities in the company’s on-premises Exchange Server software.

In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.

The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected, and Microsoft has no evidence that HAFNIUM’s activities targeted individual consumers or that these exploits impact other Microsoft products.

Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you own or are managing for a customer or advise your customer to take these steps. Here’s what you need to know and do to protect your on-premises Exchange servers from falling victim to a HAFNIUM attack.

How The HAFNIUM Attacks Work 

While based in China, HAFNIUM conducts its operations primarily from leased virtual private servers (VPS) in the United States. The attacks include three steps:

  1. It gains access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
  2. It creates what’s called a web shell to control the compromised server remotely.
  3. It uses that remote access — run from the US-based private servers — to steal data from an organization’s network.

Immediate Actions to Take 

Regardless of your long-term plans for Exchange on-premises, these steps should be taken immediately to secure on-premises deployments from these newly found zero-day threats:

Immediately Patch Your Exchange Environments

A major zero-day incident is the exact scenario for which abnormal patching schedules exist. Just like Microsoft broke their normal patch release schedule, you must not wait for Patch Tuesday to deploy these patches.

Exchange patch information: