Read time 4 minutes
The critical data of business organizations is always vulnerable to external and internal threats, and the administrator tries to minimize such threats. Generally, organizations integrate Microsoft security products, and train their employees to follow these security protocols and manage internal threats. Still, external cyberattacks are committed by hackers who use different tactics to enter your network.
Recently, Microsoft Threat Intelligence Center (MSTIC) found a new cyberattack with 0-day exploits that target the on-premises Exchange Server accounts and infiltrate the network. After entering the network, it can install some malware and remain in the system for a long period. MSTIC has found the source of the attack as the HAFNIUM group that is a group of hackers supported by China. You can consider it as a state-sponsored veiled attacking group that uses several tactics to steal or intimidate the businesses.
What is the HAFNIUM group?
The HAFNIUM group mainly targets various types of businesses based in the United States. These businesses are various law firms, higher education institutions, defense companies, think tanks, non-government organizations, infectious disease researching facilities, serum manufacturers, etc.
HAFNIUM group operates within the United States through various leased Virtual Private Servers. Earlier, it used to infiltrate the network through their internet-facing servers. It uses some legitimate applications like Covenant’s command prompt to gain entrance. Once it enters the network, they copy the data and paste it to the data sharing sites like Mega upload.
Recently, Microsoft found out that the HAFNIUM group is targeting their Exchange Server customers with low security integrations. Most of the time, they are unable to change the user account settings, but they steal the data and make it public.
Types of network vulnerabilities leading Hafnium attack on Exchange
Microsoft Threat Intelligence Center (MSTIC) has identified some loopholes in the security wall in various points of the Exchange network that HAFNIUM uses to enter the network. Microsoft has also given the security patch for each loophole to protect the Exchange Server from future attacks.
- CVE-2021-26855: It is a code that denotes the server-side request forgery vulnerability in on-premises Exchange Server that the hacker uses to send genuine-looking HTTP requests, and Exchange Server finds it as a genuine client request.
- CVE-2021-26857: It is the insecure deserialization vulnerability that lies in the Unified Messaging (UM) service section. By making use of this vulnerability, the hackers gain the ability to run code in the Exchange Server.
- CVE-2021-26858: It is a post-authentication arbitrary file write vulnerability of the on-premises Exchange Server. When the HAFNIUM hacker can authenticate its query, they can write a new file at any folder or path in the server. It is a crucial vulnerability because it can alter the administrator’s genuine credentials and thus affect each Exchange user.
- CVE-2021-27065: It is another post-authentication arbitrary file write vulnerability that the HAFNIUM hackers use to authenticate their queries. It gives more direct access to write a new file at any folder or path in the server.
How to find if Exchange Server is breached?
Microsoft Exchange provides several indicators, checking points, log files, and advanced hunting queries that you can run on Exchange Shell to find the problem. The Exchange administrators are encouraged by Microsoft to run all these queries and check for the symptoms of the problem.
- Check the Exchange HttpProxy logs (CVE-2021-26855): The Exchange HttpProxy logs are present are the Program File folder in Exchange Server.
Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy
At the given log files, check the AuthenticatedUser entries are empty, and the AnchorMailbox has the pattern of ServerInfo~*/*.
- Check the Exchange log files (CVE-2021-26858): Find the Exchange logfiles at the location:
Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
Or
Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directoryIf you see that log files are downloaded to other directories, then it means that the HAFNIUM hackers have infiltrated your system.
- Check Windows Application event logs (CVE-2021-26857): The hacker bug will create the deserialization that result in errors within the following properties:
Source: MSExchange Unified Messaging
EntryType: Error
Event Message Contains: System.InvalidCastException - Check Windows Application event logs (CVE-2021-27065):
Detect these log files through the verification of Virtual Directory. Use the below mentioned location:
Repair the corrupt Exchange database file
The HAFNIUM attack is meant to steal, modify, or delete data. It can easily destroy the whole data of your business and corrupt it beyond repair. In such a situation, you can try the ESEUTIL tool to repair EDB. However, the ESEUTIL tool cannot repair severely affected database files. So, you can try professional Kernel for Exchange Server data recovery software to recover the lost or missing Exchange data completely from inaccessible EDB files. This is the best tool you can try that allows you to save the recovered data to Office 365 as well (in addition to live Exchange).
Conclusion
Microsoft Security Response Center (MSRC) has handled the HAFNIUM attack well by introducing the security patches of the Exchange Server. The above article described the situation where some organizations working without MSRC security policies or delayed are under a Hafnium attack on Exchange.