Microsoft recently announced a campaign by a sophisticated nation-state threat actor, operating from China, to exploit a collection of 0-day vulnerabilities in Microsoft Exchange and exfiltrate customer data. They’re calling the previously unknown hacking gang Hafnium.
Microsoft has apparently been aware of Hafnium for a while — they do describe the group’s historical targets.
But this is the first time that the public has learned about the crew and the vulnerabilities they’ve been exploiting.
Who are Hafnium?
Hafnium began quietly exploiting the Exchange’s vulnerabilities in early January, when global attention was focused on events at the US Capitol. Initially, they concentrated on data exfiltration from targets of interest for China’s national security. Those included infectious disease researchers, think tanks, and defense contractors.
Shortly before Microsoft’s announcement, Hafnium went on a penetration spree, compromising “hundreds of thousands” of Exchange servers according to two cybersecurity experts who briefed US National Security officials and reported their findings to journalist Brian Krebs.
Logz.io Cloud SIEM Rules and Response
As is standard practice with emerging threats, Logz.io immediately added rules to our Cloud SIEM to detect potential Hafnium activity.
These Logz.io rules detect web shells deployed by Hafnium to maintain access to a given victim network. We will continue to monitor for evolving behavior and update our rule sets for new web shells or access methods accordingly.
Why detect web shells as opposed to the Exchange vulnerabilities exploited in the attack? Simple: each of the four vulnerabilities Microsoft published would be rendered unnecessary if Hafnium had already obtained administrator credentials.
Rather than detect vulnerabilities that may or may not have been exploited, we chose to detect Indicators of Compromise that point definitively to Hafnium’s activity. Our customers can choose to augment these rules with other rules specific to individual vulnerabilities.
So Who’s at Risk?
Anyone with a public-facing, self-hosted Exchange server — basically anyone running Outlook Web Access, which is pretty much anyone hosting their own Exchange — should consider themselves compromised.
Because of the nature of the attack, smaller organizations with poorer defenses and scarce security resources are particularly vulnerable.
The situation highlights inequity in cyber defense: the largest organizations have the money, people, and expertise to maintain proper defenses, while a very long tail of companies in retail, healthcare, manufacturing, and even government simply can’t defend themselves.
Shedding Light on MSSP Advantages
The attack also sheds light on the advantages of a cloud-first model. Anyone who has adopted Office 365 for email can sleep soundly at night. On a similar note, organizations employing Managed Security Service Providers are punching above their weight security-wise. That stems from the fact their MSSPs provide economies of scale across customer bases that an individual customer couldn’t achieve on their own.
By providing Hafnium detections to our security partners as soon as the threat actor is disclosed, we serve our partners. But we also help all the end customers those partners serve. Of course the story doesn’t end there; customers will need to patch their Exchange systems as soon as possible.
Anyone who has worked in IT operations knows that this process can take months. In some cases —such as Industrial Control Systems that rely on email for alerting — patching mission-critical email servers can take even longer.
In the meantime, detection of the evolving Hafnium tactics will be critical, and we at Logz.io are committed to that cause.