Why the Microsoft Exchange Server attack isn’t going away soon

On March 2, Microsoft revealed a critical cybersecurity offensive launched by a foreign adversary against organizations in the United States. The company attributed the attacks to a Chinese advanced persistent threat group it calls Hafnium. Microsoft quickly announced patches for the four previously unknown vulnerabilities in Exchange Server that the malicious actors had exploited. 

Reports circulated last week that the hackers compromised at least 30,000, and likely hundreds of thousands, of unpatched Exchange servers. As a consequence, incident responders are working around the clock responding to this latest threat, which they consider an actual attack on public and government IT infrastructure, unlike the still-ongoing, primarily espionage-oriented SolarWinds hack.

The Biden Administration, already grappling with the fallout from the massive SolarWinds hack, which became public in December and has been widely, although not officially, attributed to Russian hackers, said it would take” a whole of government response to assess and address the impact.” Anne Neuberger, the deputy national security adviser for cybersecurity, leads that effort.

Exchange Server attack timeline

The sequence of events around the Exchange Server attack shows how concern about its consequences has escalated.

January 3: The date researchers at security firm Volexity believes the vulnerabilities were first exploited.

March 2: Microsoft announces the attack and releases patches.

March 3: The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal agencies to disconnect Microsoft Exchange products running on-premises and report back on their efforts by March 5. CISA also issued an outline of the tactics, techniques, and procedures (TTPs) and the indicators of compromise (IOCs) used by the threat group and offered guidance on how to mitigate Exchange Server vulnerabilities.

March 6: Microsoft issued a new update to its Microsoft Safety Scanner (or Microsoft Support Emergency Response Tool, MSERT) tool to scan for web shells deployed in the recent attacks.

March 8: CISA published a remediating Microsoft Exchange Vulnerabilities web page, “strongly” urging all organizations to address the vulnerabilities immediately.

March 9: CISA published two new resources — a web page entitled Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise and another page, CISA Insights: SolarWinds and Active Directory/M365 Compromise: Risk Decisions for Leaders. CISA is encouraging affected organizations to follow the guidance in these resources.

March 10: A proof of concept is published for the Exchange Server attack, giving other cybercriminal group instructions for exploiting the vulnerabilities. ESET announces that it has identified ten APT groups actively attacking Exchange Servers with the technique.

Despite the warnings and available resources, victims of the Exchange Server attack could suffer consequences for an extended time. Here’s why.

Patching Exchange Server is not enough

“The biggest issue is that [the vulnerabilities were] being exploited on a wide-scale basis prior to the patches being available,” Tyler Hudak, practice lead, Incident Response at TrustedSec, tells CSO. “Even if on minute one of the patches being deployed you had gone and applied them, there’s still a chance that your system could have been compromised. I think a lot of people are under the impression that ‘Oh, well, we patched them, we’re ok.’ Which really isn’t the case.”

Steven Adair, president of Volexity, tells CSO that several tools and resources can help organizations determine if they were compromised. “The big challenge then comes for these organizations to figure out how serious a breach was once they find the indicators of attack or compromise.”

Given the magnitude of the number of servers involved, remediation of the flaws is a significant task that will undoubtedly cause operational disruption to vast swaths of government and industry. “One challenge for some organizations in responding to the Exchange vulnerabilities is that patching Exchange servers may be time-consuming, especially if they are behind on patches, and it may require downtime,” Katie Nickels, director of intelligence at threat intelligence cybersecurity firm Red Canary, tells CSO.

Cybersecurity teams are tired

The double whammy of the SolarWinds breach and now the Exchange Server attacks comes at a time when most cybersecurity professionals work more than full-time to manage the mounting number of daily cybersecurity threats, including rapidly rising cases of ransomware. “The fact that the SolarWinds and Exchange incidents happened a few months apart, however, is significant because it means many cybersecurity teams are tired,” Nickels says. “For some organizations, response to the SolarWinds compromise may still be ongoing, and now teams are hit with potentially responding to Exchange compromises.”

Even after the Microsoft patches are implemented, “you still have to go in, and you still have to look for those indicators of compromise on your Exchange servers to see if they were compromised,” Hudak says. “What we’ve seen in our investigations is that even prior to the patch being applied, if a server was compromised, there was likely a backdoor uploaded to the server. The patch is not going to prevent the backdoor from being accessed. The backdoor is completely separate from the vulnerability.”

Nickels agrees. “Installing these patches won’t let you know if you’ve already been compromised, let alone remediate an active intrusion. If security teams can gather visibility into process lineage and command line parameters associated with the Windows IIS [Internet Information Services] worker process, then they may be able to hunt or build detection for this and other Exchange web shell activity.”

Remediation can be complicated

Remediation is possible, but for some organizations, the process can be more complicated. “At this point, most organizations likely saw one or more attacks that placed a web shell on their Exchange servers,” Volexity’s Adair says. “However, there is a good chance the attackers did not access the web shells, and the breaches are fairly limited and can be remedied fairly easily.

“At the same time, a smaller set of organizations have had attackers access the web shells, dump credentials, move laterally, and start taking further steps to move well beyond their Exchange servers. This is where remediation gets a lot trickier and can involve anything from removing some files and updating a handful of passwords to rebuilding several servers and resetting every password in the organization.”

Other groups now exploiting Exchange Server

Adding even further insult to injury is that other threat actors are piling on to the vulnerabilities first exploited by Hafnium. Hudak says that around March 5, he started to see other groups aside from the Chinese hackers exploiting the Exchange vulnerabilities. “We know that there’s a different group because they were using a different backdoor than the previous attackers did. They used different backdoor names. There are other groups out there that are figuring out how to exploit this chain of vulnerabilities.”

The path to patching and remediation could become exponentially more problematic if someone publishes proof of concept code for the attacks, which Hudak expects will happen this week. “As soon as that happens, everybody’s going to have it, and everybody will be able to exploit it,” he says.

Many firms lack forensics know-how

In addition to patching and hunting for backdoors, incident responders should make copies of any backdoors they find before deleting them because forensic firms will want to look at them, Hudak advises.

“Making sure you save evidence can be key,” Adair says. “For example, instead of powering down a virtual machine and deleting it, we would recommend taking a snapshot (with memory) and saving a copy of the system in its compromised state.”

Unfortunately, most organizations don’t have the capability or forensic knowledge to get in there and figure out what the attackers did with the backdoor, Hudak maintains. “Many small- and medium-sized businesses might lack the expertise to conduct a full investigation if significant adversary activity occurred,” Nickels says.

Another potentially fraught cybersecurity task is to return any affected systems to their last known good state, which means restoring everything from a backup before the system or systems got compromised. “No matter how good your forensic analyst is, there’s always a chance they could miss something, or the attacker could have deleted something. Reverting to that known good backup will make sure that there is nothing on there now,” Hudak says.

At the minimum, every organization using an Exchange server should immediately patch, even if circumstances make patching painful. It’s easy to tell organizations to patch, but particularly if they are behind on Exchange updates, this may not be a straightforward process,” Nickels says. “Fortunately, Microsoft has provided mitigation guidance for organizations who cannot patch. Still, any organization running their own Exchange server should make immediate patching a priority. The longer an unpatched server is connected to the internet, the greater the risk is that it will be compromised.”

Editor’s note: This article has been updated on March 11 to include information on the exploit’s proof of concept.