How to deal with the Hafnium attack on Microsoft Exchange Server?

Read time 4 minutes

Business organizations constantly face the precarious challenge of safeguarding their invaluable data against a spectrum of external and internal threats. Administrators diligently endeavor to mitigate these risks. Typically, managers can impart comprehensive security protocols to their workforce to adeptly address internal threats. However, the ever-evolving landscape of external cyberattacks presents a formidable adversary, as cunning hackers employ an array of tactics to infiltrate your network.

In a recent discovery, the Microsoft Threat Intelligence Center (MSTIC) has uncovered a sophisticated cyberattack featuring 0-day exploits that specifically target on-premises Exchange Server accounts, allowing unauthorized access to the network. Once inside, this threat has the capability to deploy malware and maintain a prolonged presence within the system. The culprits behind this attack have been identified as the HAFNIUM group, a hacker collective believed to be backed by Chinese interests. This group operates covertly as a state-sponsored entity, employing a range of tactics to either pilfer sensitive data or engage in acts of intimidation against businesses.

What is the HAFNIUM group?

The HAFNIUM group primarily focuses its cyberattacks on a diverse range of American entities. This includes law firms, universities, defense contractors, think tanks, non-governmental organizations, infectious disease research facilities, and serum manufacturers, among others.

The HAFNIUM group operates within the United States by leveraging leased Virtual Private Servers (VPS). Previously, they employed the strategy of infiltrating networks via their internet-facing servers. To gain initial access, they utilize seemingly legitimate applications such as Covenant’s command prompt. Once inside the network, their modus operandi involves copying data and subsequently uploading it to file-sharing platforms like Mega Upload.

Microsoft has recently uncovered that the HAFNIUM group has set its sights on their Exchange Server clientele. Although they often encounter obstacles when attempting to modify user account settings, their primary objective is data theft, which they subsequently expose to the public.

Microsoft has diligently pinpointed vulnerabilities scattered throughout the network infrastructure that HAFNIUM exploits for unauthorized access. Furthermore, Microsoft has proactively provided security patches tailored to each of these vulnerabilities, fortifying the Exchange Server against potential future breaches.

• CVE-2021-26855: This code represents a server-side request forgery vulnerability within on-premises Exchange Servers, exploited by hackers to send deceptive HTTP requests that appear genuine to the Exchange Server, tricking it into treating them as legitimate client requests.
• CVE-2021-26857: This vulnerability resides in the Unified Messaging service section and poses a significant security risk due to its potential for insecure deserialization. Exploiting this vulnerability grants malicious actors the capability to execute arbitrary code on the Exchange Server, potentially leading to serious security breaches.
• CVE-2021-26858: This vulnerability represents a post-authentication arbitrary file write exploit targeting on-premises Exchange Servers. Once the HAFNIUM hacker successfully authenticates their query, they gain the ability to create new files in any server folder or path. This vulnerability is particularly significant due to its potential to manipulate legitimate administrator credentials, thereby impacting all Exchange users.
• CVE-2021-27065: This is yet another post-authentication vulnerability that HAFNIUM hackers leverage to authenticate their queries. It provides a more direct means of creating and writing new files within any folder or path on the server.

Exchange administrators have at their disposal a variety of tools and resources within the Exchange Shell to pinpoint and resolve issues. These include an array of indicators, check points, log files, and advanced hunting queries. Microsoft strongly advocates the use of these diagnostic tools to proactively identify and address any symptoms or anomalies related to the problem at hand.

1. Check the Exchange HttpProxy logs (CVE-2021-26855): The Exchange HttpProxy logs are present are the Program File folder in Exchange Server.
   Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy

   At the given log files, check the AuthenticatedUser entries are empty, and the AnchorMailbox has the pattern of ServerInfo~*/*.

2. Check the Exchange log files (CVE-2021-26858): Find the Exchange logfiles at the location:
   Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
   Or
   Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory

   If you see that log files are downloaded to other directories, then it means that the HAFNIUM hackers have infiltrated your system.

3. Check Windows Application event logs (CVE-2021-26857): The hacker bug will create the deserialization with the following properties:
   Source: MSExchange Unified Messaging
   EntryType: Error
   Event Message Contains: System.InvalidCastException
4. Repair the corrupt Exchange database file: The HAFNIUM cyberattack is a malicious operation designed to unlawfully acquire, manipulate, or obliterate valuable data. This perilous intrusion has the potential to inflict catastrophic damage upon your business’s data infrastructure, rendering it irreparable. In the event of such a crisis, one option is to employ the ESEUTIL tool to address issues within the EDB (Exchange Database) files. Nonetheless, it’s important to note that the ESEUTIL tool may be inadequate for restoring severely compromised database files.

In such dire circumstances, it is advisable to explore professional Exchange data recovery solutions to fully retrieve lost or inaccessible Exchange data from EDB files. A highly recommended tool for this purpose is Kernel for Exchange Server, which not only facilitates Exchange EDB Recovery but also offers the capability to save the recovered data to Office 365, in addition to the live Exchange environment.

Conclusion

Microsoft has handled the HAFNIUM attack well and upgraded the security patches of the Exchange Server. But, if the database is corrupt, then you should repair it as soon as possible. Kernel for Exchange Server is the tool that will repair the Exchange Database (EDB) file and help you save the recovered items. You can save the recovered items in live Exchange Server or Office 365.