Chinese APT Attack On-Premises Version of Microsoft Exchange

By Dave Klein

The Attack in Plain English

Last Tuesday March 2nd Microsoft announced that a Chinese Nation-State actor they called HAFNIUM had been utilizing four zero-day vulnerabilities on premises version of Microsoft Exchange.[1] Microsoft and other researchers say that the Chinese government had successfully penetrated and expanded into what was initially thought to be around 30,000 US companies and organizations. Since then, the number has been expanded to 60,000 companies and includes companies globally. While Microsoft released a patch Tuesday, March 2nd for the four zero-day vulnerabilities, the nature of this nation-state attack aligns with the strategy of others used in the past. Being well thought out and planned, breaches are not executed without first preparing and executing a series of follow up routines to dig deep into enterprises including establishing multiple backdoors that remain even if the breach is remediated. Further incursions including elevated accounts and penetrated identity stores, file servers, critical applications and “legitimate accounts” within exchange in the victim networks. Furthermore, beyond the direct attack, researchers are already finding other nation-state actors and criminal groups take advantage of the now known vulnerabilities to also exploit. They have found as of last Friday, March 5th multiple web shells per target due to “automated deployment or multiple uncoordinated actors.”[2]

If You Run Premises-Based Microsoft Exchange - Assume You Are Breached.

If your organization uses any version of premises-based Microsoft Exchange, you should assume you are currently breached. Only Exchange Online is not affected.

  1. Know that patching will not clean up an already compromised system.
  2. Most security control vendors from AV/EDR/SOCaaS were unable block the breach and subsequent expand attack.
  3. At the minimum, the expand portion of the attack included the implementation of backdoor web shells and subsequent exchange accounts created.
  4. Remediation should include full account review of all accounts and password reset of all administrative accounts in Active Directory and in Exchange.
  5. Note that both Microsoft and other researchers have detected other nation-state and criminal actors taking advantage of the exploits after the announcement on Tuesday, March 2nd.

What Can You Do to Defend Your Organization?

Carefully testing and monitoring your network for unusual activity is also critical, as the first sign of incursion may be when the threat actors try to remove data from your environment.

Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate's platform.

Start a Free Trial

Stay cybersafe!

Other Resources

Dave Klein

Dave Klein is the Director of Cyber Evangelism for Cymulate. With more than 21 years of real-world cybersecurity experience, he works with Cymulate teams, customers and industry thought leaders to address the challenges of securing modern enterprise environments. Dave’s long career includes working on the NIST response to President Obama’s Policy Directive 21 on Critical Infrastructure Security and Resilience, leading some of the largest sales engagements for US Federal security solutions, and working with the City of New York post 9/11, helping shore up cyber defenses.

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips