Read time 4 min
The critical data of business organizations is always vulnerable to external and internal threats, and the administrator tries to minimize such threats. Generally, the managers can train their employees to follow the security protocols and manage internal threats. Still, external cyberattacks are committed by hackers who use different tactics to enter your network.
Recently, Microsoft Threat Intelligence Center (MSTIC) found a new cyberattack with 0-day exploits that target the on-premises Exchange Server accounts and infiltrate the network. After entering the network, it can install some malware and remain in the system for a long period. MSTIC has found the source of the attack as the HAFNIUM group that is a group of hackers supported by China. You can consider it as a state-sponsored veiled attacking group that uses several tactics to steal or intimidate the businesses.
The HAFNIUM group mainly targets various types of businesses based in the United States. These businesses are various law firms, higher education institutions, defense companies, think tanks, non-government organizations, infectious disease researching facilities, serum manufacturers, etc.
HAFNIUM group operates within the United States through various leased Virtual Private Servers. Earlier, it used to infiltrate the network through their internet-facing servers. It uses some legitimate applications like Covenant’s command prompt to gain entrance. Once it enters the network, they copy the data and paste it to the data sharing sites like Mega upload.
Recently, Microsoft found out that the HAFNIUM group is targeting their Exchange Server customers. The majority of the time, they are unable to change the user account settings, but they steal the data and make it public.
Microsoft has identified some loopholes in various points of the network that HAFNIUM uses to enter the network. Microsoft has also given the security patch for each loophole to protect the Exchange Server from future attacks.
There are several indicators, checking points, log files, and advanced hunting queries that you can run on Exchange Shell to find the problem. The Exchange administrators are encouraged by Microsoft to run all these queries and check for the symptoms of the problem.
The Exchange HttpProxy logs are present are the Program File folder in Exchange Server.
At the given log files, check the AuthenticatedUser entries are empty, and the AnchorMailbox has the pattern of ServerInfo~*/*.
Find the Exchange logfiles at the location:
If you see that log files are downloaded to other directories, then it means that the HAFNIUM hackers have infiltrated your system.
The hacker bug will create the deserialization with the following properties-
The HAFNIUM attack is meant to steal, modify, or delete the data. It can easily destroy the whole data of your business and corrupt it beyond repair. In such a situation, you can try the ESEUTIL tool to repair EDB. However, the ESEUTIL tool cannot repair severely affected database files. So, you can try professional Exchange recovery solutions to recover the lost or missing Exchange data completely from inaccessible EDB files. The best tool you can try is Kernel for Exchange Server. With this tool, you can save the recovered data to Office 365 as well (in addition to live Exchange).
Microsoft has handled the HAFNIUM attack well and upgraded the security patches of the Exchange Server. But, if the database is corrupt, then you should repair it as soon as possible. Kernel for Exchange Server is the Exchange Recovery tool that will repair the Exchange Database (EDB) file and help you save the recovered items. You can save the recovered items in live Exchange Server or Office 365.