[German]The Hafnium hacker group has probably managed to compromise hundreds of thousands of Exchange installations worldwide via vulnerabilities. A patch to close the vulnerabilities is available, but it may be too late. However, tools are now available from Microsoft and third parties to check Exchange instances for signs of the hack.
Advertising
Hundreds of thousands of Exchange servers infiltrated
It appears that after the SolarWinds attack by suspected state-affiliated Russian attackers, the next security disaster has just been revealed. Hackers from the suspected state-affiliated Chinese hacking group Hafnium have been using vulnerabilities in on-premise Exchange servers to infiltrate for months. The vulnerability was not closed by security updates until March 2, 2021. I had reported about it in various blog posts (see end of article). And the Volexity blog (their security researchers discovered the attack and vulnerabilities) has this post on the subject. dieser Beitrag zum Thema.
The attackers' goal was to gain control of the victims' email and possibly access and infiltrate their network infrastructure via Active Directory permissions. Just a few days ago, I assumed that only a few US institutions and companies were targeted.
It is now clear that mass scans were conducted on the Internet and that the hafnium group was aggressively trying to infiltrate vulnerable Exchange instances. In the blog post Important Important notes from Microsoft regarding the Exchange server security update (March 2021), I had mentioned the German BSI's warning that thousands of German Exchange installations had been hacked. The BSI has started to inform identified affected people by mail.
Infected Exchange servers, Source: Rapid7 – Click to Zoom
In this article, security vendor Rapid7 in diesem Artikel assumes there are 170,000 Exchange servers at risk, though there are probably "hot spots" in the U.S. and Germany with more than 10,000 instances. The article also gives IP addresses that scan the Internet – and there is an analysis of how one might detect an infection. More information and analysis is provided in this Microsoft article, as well as this US-CERT warning.
Advertising
It's a terrible mess, because it likely have affected many small businesses where an Exchange server is bumming around (see also this Wired article). Security researchers from the discovering security vendor Volexity consider the whole thing a ticking time bomb. And patching now won't help if the hafnium group has already installed a webshell as a backdoor.
Scan tools from Microsoft & CERT
Microsoft has extended a long-standing PowerShell script known as Test-Hafnium, named Test-ProxyLogon.ps1, to detect the vulnerabilities now being exploited. The script and additional notes can be found on GitHub.
points out the PowerShell script Test-ProxyLogon.ps1in the above tweet – this article has some more notes on the topic. Microsoft security researcher Kevin Beaumont points to an official Microsoft nmap script in the following tweet that identifies whether systems are vulnerable to the Exchange vulnerabilities regardless of the CU/SU situation. No authentication is required.
Microsoft nmap script for Exchange vulnerabilities
CERT Latvia has also published a script on GitHub that can be used to check whether an Exchange server has been infected with a webshell. Catalin Cimpanu points out the issue in the following tweet.
Exchange test script (CERT Latvia)
Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
