On March 11, Practical 365 hosted a panel discussion with several Exchange and security experts. I was asked to boil down the intense, hour-long session into a Q&A… and here it is. Joining me in the panel were Michael Van Horenbeeck, Jeff Guillet, and Bryan Patton.
Note: after the original Hafnium panel, Microsoft released the One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT). If you haven’t already done so, download and run this tool right now. Don’t worry; this web page isn’t going anywhere.
UPDATEs: On April 9, 2021 the FBI received a warrant from the U.S. District Court of Southern Texas to ethically hack U.S. organizations who still have the Exchange Server exploit web shell in their environment. This unprecedented action from the FBI shows the threat these web shells within U.S. organizations pose to national security. On April 13th, Microsoft announced four new remote code vulnerabilities which require the April 2021 updates issues for Exchange Server 2013, 2016, and 2019.
Want to remove these web shells yourself and look for other signs of compromise? Get the full details in this technical brief: Defend Exchange Server from HAFNIUM Attacks.
Q: Is there any version of Exchange that is safer or less vulnerable than others?
A: After the original webcast, Microsoft confirmed that the vulnerability was first introduced in Exchange 2013, so older versions aren’t vulnerable to the full attack. Although it is out of support, Exchange 2010 is still used by some companies so it needs to be patched because it’s vulnerable to CVE-2021-26857, one of the four Hafnium vulnerabilities. Microsoft hasn’t patched any version earlier than Exchange 2010.
Q: What about Exchange Online?
A: Exchange Online uses a different code base than the on-premises servers and is not vulnerable to the current attack. For one thing, Exchange Online does not allow insecure connections over TCP/443 to Exchange virtual directories like OWA and ECP, which were exploited in the attack.
Q: There are a considerable number of people who only use Exchange on-premises because Microsoft requires an on-premises server to manage on-premises objects. Are these customers any better or worse off than people who are still hosting Exchange on-premises mailboxes?
A: It really depends. If you are that lucky customer that’s moved entirely to the cloud, but you’re still keeping that Exchange Server just because you have to, and you aren’t publishing services to the Internet, then you’re probably better off than everyone else. “Not publishing” means that you don’t expose any services on that server to the Internet: no Autodiscover, no Exchange Web Services, no OWA, etc. However, if you are keeping a server and are still publishing it to the Internet, then you’re susceptible. However, even an unpublished server still represents a vulnerability—someone who can compromise any device on your network through any means can use that as a springboard to attack the Exchange server’s vulnerability and then move laterally through your network.
Q: What else in the environment do I need to be worried about besides my Exchange Servers? For example, if my Exchange Server has been compromised, should I burn it down and rebuild it, or do I need to be worried about other parts of my network?
A: An attacker who can compromise any Exchange server may be able to move laterally and compromise other machines and resources, including Active Directory. You should assume any part of your network may have been compromised and treat this as an incident response situation, taking the same procedures you would for a known or suspected compromise of any other critical service. The “China Chopper” web shell installed by the attack payload can be used to download and install ransomware, and there are multiple reports of attackers doing exactly that with DearCry. Attackers may also use tools such as MimiKatz to mount attacks on Active Directory.
Often the easiest solution is to take a server offline for a complete rebuild. Although this takes time, at least you will know that any nasty surprises which an attacker might have left behind are removed.
Q: How do I know I’ve been compromised?
A: A quick check is to look for .ASPX files that are in the WWWroot\ASP_client folder. There shouldn’t be anything there. If you find anything there, you’ve been compromised. Even if you don’t see anything there, you should run the EOMT to check for other indicators of compromise and, more importantly, to mitigate the threat. Read the full details in this technical brief: Defend Exchange Server from HAFNIUM Attacks.
Q: If I have been compromised, what should I do?
A: In a complex environment, there are lots of potential ways that a successful attacker can pivot and it is very difficult to clean them all up. Before you immediately start rebuilding, gather as much data as you can to attempt to verify what the attackers may have done. Look for evidence of credential dumps. Plan to reset all your passwords, including for machine accounts and local accounts. Once the passwords are reset, verify your security group membership to look for newly added accounts or unexpected changes to group memberships, and verify that every account that has domain or enterprise admin privileges is supposed to have those privileges. Automated auditing tools can be immensely valuable if you have them. Back up your Active Directory and keep the backup offline so that it cannot be compromised by ransomware. Many ransomware operations wait until sometime after the initial deployment before they encrypt the target data.
Q: My servers are clean but I see evidence that attackers probed my environment. What do I do to better protect myself against future threats?
A: Start by keep current on patches! Reduce your attack surface as much as possible. Use the widespread coverage of this attack as evidence to argue for beefing up your disaster recovery, incident response, and security monitoring capabilities. Make sure you understand and are equipped to follow the NIST incident response framework and its phases (preparation, detection and analysis, containment/eradication/recovery, and post-incident recovery).
This Q&A was pulled from an hour-long discussion and only covers the highlights. For the full discussion, watch the webcast recording. Practical365 covers the range of tools and software Microsoft has made available to help customers remediate servers here.
Don’t have time to watch the webcast? Read the complete details in this technical brief: Defend Exchange Server from HAFNIUM Attacks.
