Kernel Data Recovery Blog

How to deal with the Hafnium attack on Microsoft Exchange Server?

Read time 4 minutes

Summary: Exposure of your Exchange Server to a Hafnium attack is hazardous, as it will take over your entire database. If your Exchange is breached by hafnium, then your sensitive data is corrupted or gone. Here, you will read about the Hafnium attack and workable methods to fix corrupt EDB files. However, apart from manual options, it’s more beneficial to use an automated Kernel for Exchange Server to easily recover your Exchange data accurately.

The critical data of business organizations is always vulnerable to external and internal threats, and the administrator tries to minimize such threats. Generally, organizations integrate Microsoft security products, and train their employees to follow these security protocols and manage internal threats. Still, external cyberattacks are committed by hackers who use different tactics to enter your network.

Recently, Microsoft Threat Intelligence Center (MSTIC) found a new cyberattack with 0-day exploits that target the on-premises Exchange Server accounts and infiltrate the network. After entering the network, it can install some malware and remain in the system for a long period. MSTIC has found the source of the attack as the HAFNIUM group that is a group of hackers supported by China. You can consider it as a state-sponsored veiled attacking group that uses several tactics to steal or intimidate the businesses.

What is the HAFNIUM group?

The HAFNIUM group mainly targets various types of businesses based in the United States. These businesses are various law firms, higher education institutions, defense companies, think tanks, non-government organizations, infectious disease researching facilities, serum manufacturers, etc.

HAFNIUM group operates within the United States through various leased Virtual Private Servers. Earlier, it used to infiltrate the network through their internet-facing servers. It uses some legitimate applications like Covenant’s command prompt to gain entrance. Once it enters the network, they copy the data and paste it to the data sharing sites like Mega upload.

Recently, Microsoft found out that the HAFNIUM group is targeting their Exchange Server customers with low security integrations. Most of the time, they are unable to change the user account settings, but they steal the data and make it public.

Types of network vulnerabilities leading Hafnium attack on Exchange

Microsoft Threat Intelligence Center (MSTIC) has identified some loopholes in the security wall in various points of the Exchange network that HAFNIUM uses to enter the network. Microsoft has also given the security patch for each loophole to protect the Exchange Server from future attacks.

How to find if Exchange Server is breached?

Microsoft Exchange provides several indicators, checking points, log files, and advanced hunting queries that you can run on Exchange Shell to find the problem. The Exchange administrators are encouraged by Microsoft to run all these queries and check for the symptoms of the problem.

  1. Check the Exchange HttpProxy logs (CVE-2021-26855): The Exchange HttpProxy logs are present are the Program File folder in Exchange Server.
    Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy

    At the given log files, check the AuthenticatedUser entries are empty, and the AnchorMailbox has the pattern of ServerInfo~*/*.

  2. Check the Exchange log files (CVE-2021-26858): Find the Exchange logfiles at the location:

    Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
    Or
    Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory

    If you see that log files are downloaded to other directories, then it means that the HAFNIUM hackers have infiltrated your system.

  3. Check Windows Application event logs (CVE-2021-26857): The hacker bug will create the deserialization that result in errors within the following properties:
    Source: MSExchange Unified Messaging
    EntryType: Error
    Event Message Contains: System.InvalidCastException
  4. Check Windows Application event logs (CVE-2021-27065):
  5. Detect these log files through the verification of Virtual Directory. Use the below mentioned location:

    Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

Repair the corrupt Exchange database file

The HAFNIUM attack is meant to steal, modify, or delete data. It can easily destroy the whole data of your business and corrupt it beyond repair. In such a situation, you can try the ESEUTIL tool to repair EDB. However, the ESEUTIL tool cannot repair severely affected database files. So, you can try professional Kernel for Exchange Server data recovery software to recover the lost or missing Exchange data completely from inaccessible EDB files. This is the best tool you can try that allows you to save the recovered data to Office 365 as well (in addition to live Exchange).

Conclusion

Microsoft Security Response Center (MSRC) has handled the HAFNIUM attack well by introducing the security patches of the Exchange Server. The above article described the situation where some organizations working without MSRC security policies or delayed are under a Hafnium attack on Exchange.