Read time 4 minutes
Business organizations constantly face the precarious challenge of safeguarding their invaluable data against a spectrum of external and internal threats. Administrators diligently endeavor to mitigate these risks. Typically, managers can impart comprehensive security protocols to their workforce to adeptly address internal threats. However, the ever-evolving landscape of external cyberattacks presents a formidable adversary, as cunning hackers employ an array of tactics to infiltrate your network.
In a recent discovery, the Microsoft Threat Intelligence Center (MSTIC) has uncovered a sophisticated cyberattack featuring 0-day exploits that specifically target on-premises Exchange Server accounts, allowing unauthorized access to the network. Once inside, this threat has the capability to deploy malware and maintain a prolonged presence within the system. The culprits behind this attack have been identified as the HAFNIUM group, a hacker collective believed to be backed by Chinese interests. This group operates covertly as a state-sponsored entity, employing a range of tactics to either pilfer sensitive data or engage in acts of intimidation against businesses.
The HAFNIUM group primarily focuses its cyberattacks on a diverse range of American entities. This includes law firms, universities, defense contractors, think tanks, non-governmental organizations, infectious disease research facilities, and serum manufacturers, among others.
The HAFNIUM group operates within the United States by leveraging leased Virtual Private Servers (VPS). Previously, they employed the strategy of infiltrating networks via their internet-facing servers. To gain initial access, they utilize seemingly legitimate applications such as Covenant’s command prompt. Once inside the network, their modus operandi involves copying data and subsequently uploading it to file-sharing platforms like Mega Upload.
Microsoft has recently uncovered that the HAFNIUM group has set its sights on their Exchange Server clientele. Although they often encounter obstacles when attempting to modify user account settings, their primary objective is data theft, which they subsequently expose to the public.
Microsoft has diligently pinpointed vulnerabilities scattered throughout the network infrastructure that HAFNIUM exploits for unauthorized access. Furthermore, Microsoft has proactively provided security patches tailored to each of these vulnerabilities, fortifying the Exchange Server against potential future breaches.
Exchange administrators have at their disposal a variety of tools and resources within the Exchange Shell to pinpoint and resolve issues. These include an array of indicators, check points, log files, and advanced hunting queries. Microsoft strongly advocates the use of these diagnostic tools to proactively identify and address any symptoms or anomalies related to the problem at hand.
At the given log files, check the AuthenticatedUser entries are empty, and the AnchorMailbox has the pattern of ServerInfo~*/*.
If you see that log files are downloaded to other directories, then it means that the HAFNIUM hackers have infiltrated your system.
In such dire circumstances, it is advisable to explore professional Exchange data recovery solutions to fully retrieve lost or inaccessible Exchange data from EDB files. A highly recommended tool for this purpose is Kernel for Exchange Server, which not only facilitates Exchange Recovery but also offers the capability to save the recovered data to Office 365, in addition to the live Exchange environment.
Microsoft has handled the HAFNIUM attack well and upgraded the security patches of the Exchange Server. But, if the database is corrupt, then you should repair it as soon as possible. Kernel for Exchange Server is the tool that will repair the Exchange Database (EDB) file and help you save the recovered items. You can save the recovered items in live Exchange Server or Office 365.