UPDATE: Microsoft Exchange Hafnium Compromise

3 min read

CI has taken two new steps in response to the Exchange Server compromise. 

1. We hosted a panel discussion, which you can watch on this page. 

2. We sent another communication to our Managed Detection and Response customers. We are posting the communication here in hopes that it helps others:

 The Microsoft Exchange compromise has taken a new turn, with ransomware criminals now exploiting it, according to several reports, including Microsoft’s Security Intelligence Center.  While this was expected, today is a good day to make sure you are prepared.  

As a reminder, this is only impacting organizations with on-premises Exchange Servers, but it appears to affect all versions of Exchange from 2010 onwards and the risk of compromise before the patch is applied must be carefully evaluated.  

Previously, criminals and/or state actors had compromised Exchange but had not taken action beyond downloading accessible data (commonly Outlook Address Book information) and implanting web shells.  It now appears that at least 10 nefarious groups are using the vulnerability to inject malware and ransomware into systems. 

Patching and Rebuilding 

All organizations with on-prem Exchange servers should have patched by now and looked for indicators of compromise.  

If you have patched and/or rebuilt your server and have had no indicators detected on your systems, there’s a good chance the criminals will not be able to lock up your network.  But, if they were in your system at one point – if they were able to implant code onto servers, access files and data, or conceivably pivot from your Exchange server further inside your network - there is risk they have an undetected backdoor.  

What to Do 

If you have an on-prem Exchange Server, make sure you: 

  1. Apply the March 2021 Exchange Server Security Updates for Exchange 2010 through Exchange 2019. 
  2. Apply the DNS Server patch to your Domain Controllers for CVE-2021-26897.
  3. Have recent successful backups, and restoration procedures ready
  4. Ensure those successful backups are offline and isolated from your network.  Many ransomware strains target backup systems and volumes and render them inaccessible.
  5. Make sure your team knows your IR procedures and has a copy of critical documents (IR plans, DR plans, contact lists) securely stored offline and accessible in the event your file servers are unavailable
  6. Alert appropriate staff members of the heightened risk, including your HelpDesk and support teams.  Remind staff to isolate and disconnect computers that may have ransomware while they are investigating.
  7. Use a “next generation” EDR product such as Microsoft Defender for Endpoint on affected servers (and ideally all clients as well) for enhanced monitoring and protection.
  8. Proactively change service account passwords and domain account passwords that were known to your Exchange server
  9. Ensure all employee user accounts require MFA to authenticate at least once per day
  10. Monitor your domain controller security logs for suspicious logon activity
  11. Some tools such as Varonis DatAdvantage and Netwrix Auditor have built-in ransomware and cryptolocker behavioral activity detection.  These features should be enabled if they are not already.
  12. If you have a critical services environment, such as a hospital or global logistics environment, proactively prepare a standby domain controller by building a server, promoting it to Domain Controller & Global Catalog Server, then after a complete directory synchronization disconnect the server from your network and leave it isolated.  (This method is what allowed Maersk to restore operations during their global NotPetya ransomware attack in 2018.
  13. Ensure your network perimeter defenses (firewalls, intrusion prevention systems) are in high security & enforcement mode, blocking suspicious and malicious traffic it identifies. 

What Critical Insight is Doing

The Critical Insight Operations Center is monitoring all Managed Detection and Response customers for lateral movement and other signs of malicious activity.  We are carefully watching for emerging IOCs to implement into our monitoring to help us identify exploits as early as possible.  While we are always vigilant, we are on elevated alert.  

CI is adding resources to help customers respond, should the need arise.  

Stay calm, stay safe, be prepared, and if CI can assist, we are here for you.