The Hafnium Breach – Microsoft Exchange Server Attack

Who Was Affected?

Thus far, it is estimated that as many as 60,000 organizations world-wide have been compromised by the zero-day exploit, according to an article published by Bloomberg. The European Banking Authority was among those who were affected. The EBA announced that personal data may have been accessed after their email servers were compromised by the Hafnium group, and have taken their entire email system offline while they assess the damage.

What Happened?

Microsoft were allegedly warned by DEVCORE about the vulnerability at the beginning of January, according to investigative cybercrime journalist, Brian Kreb. The vulnerability allows attackers to run scripts with system level privileges on Exchange Server – a technique referred to as remote code execution (RCE).

As you would expect, many have criticized Microsoft for underestimating the scale of the issue and failing to deliver a patch in a timely manner. However, it should be noted that patching alone won’t necessarily solve the problem. Hackers have reportedly installed backdoors which will allow them access to the compromised servers even after patches have been applied and all relevant credentials have been reset. Not only that, but we don’t yet know what valuable data could have been stolen already. To make matters worse, it looks like there are four new hacking groups actively seeking to exploit the Exchange Server vulnerability, according to the MIT Technology Review.

In response to the incident the White House National Security Council has formed a “Unified Coordination Group” (UCG), which consists of the FBI, CISA, and other relevant bodies to address the issue. During a press conference on March 5, the White House press secretary told the media that “everyone running these servers — government, private sector, academia — needs to act now to patch them”.

How to Keep Your On-Premise Exchange Server Secure

In the context of addressing software vulnerabilities, the most obvious step to take is to ensure that patches are applied as soon as they are released. The Microsoft Baseline Security Analyzer (MBSA) will check for available patches and apply them automatically.

You should also use the Security Configuration Wizard (SCW) which will give you recommendations on how to enhance the security of your Exchange Server. This will include recommendations for configuring your server’s firewall, the LM authentication protocol, and SMB signing, which helps to ensure that network traffic between the SMB server and the client is not compromised.

The Exchange Best Practices Analyzer (EBPA) will check your Exchange infrastructure against the Microsoft Best Practices. Another useful Microsoft tool is the Security Compliance Manager (SCM), which will scan your server for security configuration weaknesses. It’s also a good idea to disable any services that you don’t need, as this will help to harden your Exchange implementation.

As always, you must use a firewall to shield your network from the internet, and it must be properly configured. While the built-in Windows Firewall is sufficient for most people’s needs, Forefront Protection for Exchange provides advanced detection of viruses, worms, spyware and spam. It’s also comes with a reverse proxy feature which sits behind the firewall to provide an additional level of control over the traffic that is allowed to access your Exchange environment.

Using tools for automated patch management, configuration and for granular control over inbound network traffic, are some of the preliminary methods that can help to protect Exchange Server from attack. However, you will still need to use a DCAP (Data-Centric Audit & Protection) solution to detect and respond to anomalous activity within your Exchange environment.

For example, you will need to know who is accessing which mailbox accounts, and receive real-time alerts when an account is accessed by a non-owner. Likewise, you will need to receive alerts when sensitive data is shared via Exchange Server.

Finally, it is a good idea to monitor the health of your Exchange Server, which includes keeping track of resource utilization, server status and more.

If you’d like to see how the Lepide Data Security Platform helps you audit changes made to Exchange Server and ultimately protect your data, schedule a demo with one of our engineers or start your free trial today.