Three Solution Actions for HAFNIUM Attacks on Microsoft Exchange Servers

March 16, 2021



If you are in Cybersecurity, you probably heard about the latest Microsoft Exchange Vulnerability and Zero-Day attacks exploiting it. Many posts have been written on this topic and we have listed a few of them for you:

This is a critical vulnerability with serious consequences to any organization using MS Exchange servers. Here is a practical approach for all IT and cybersecurity professionals how to deal with this situation.

Three Solution Actions for HAFNIUM

  1. Patch Your Exchange Servers
  2. Look for Indicators of Compromise
  3. Do Nothing (for now)

1. Patch Your Exchange Servers

Although Microsoft released a patch on March 2nd. However, as of March 11, there were still more than 80,000 vulnerable Exchange Servers worldwide estimated. If you are running your own Exchange server, make sure all of your servers are patched to the latest level. If you have outsourced management of your servers to an MSP, make sure they have applied the patches and request evidence.

If you are not sure whether you have Exchange servers on your network, or whether they have been updated already, running a vulnerability scan is a quick way to figure out. This will also identify any unknown Exchange servers that were installed for testing and were never decommissioned.

If you don’t have the team or the tools to run a comprehensive vulnerability scan, reach out to us and we will help you. You can also go directly to our partner Qualys and get a free trial and run your own vulnerability scans.

2. Look for Indicators of Compromise

Once you are sure that all your Exchange servers are patched, you are still not in the clear. This specific vulnerability has been weaponized many times by many different attack groups. We have seen cases where the attackers have installed multiple back-doors, created accounts, opened ports or take other actions that will let them maintain a presence in your network. Just applying the latest patches does not eliminate these risks.

Contact us for a comprehensive analysis of your network, servers and workstations to detect any active threats on your systems and respond to them before they can cause any harm to your business. You can also start a free trial with <a href=https://secure2.sophos.com/en-us/products/sophos-central/free-trial.aspx?id=001f100001GbgtV target=_blank>Sophos if you’d like to use their technology directly. If you get stuck, we are here to help.

Check the following articles for more information about steps you can take to look for IOC and take necessary mitigation steps:

3. Do Nothing (for now)

If you are working for a company that has already transitioned to a cloud-based SaaS solution for email and online collaboration, you fall in this category. Consider yourself lucky! If you are not involved in your company’s IT or cybersecurity infrastructure you may not be aware of this but the majority of the organizations in the US are already running their email and collaboration tools on one of the two major SaaS vendors in this space:

The graph illustrates the market share ratio between G-Suite and Office 365.

Market share ratio between G-Suite and Office 365

 

Just using a cloud-based SaaS solution does not mean you don’t have to worry about cybersecurity. There are many examples of successful ransomware and business email compromise (BEC) attacks that resulted in significant financial damage, even for companies running a majority of their systems in the cloud. Cybersecurity is an ongoing process that needs to mature as your business operations and IT systems get more complicated. You still need to have good cybersecurity processes and tools to protect your business, including:

  • Asset discovery, vulnerability scanning, and patching
  • End-point protection against malware, ransomware, and phishing attacks
  • Threat monitoring, detection, and response
  • Network security
  • Cloud security
  • Access Management and MFA
  • Backup and recovery

If you were planning on adopting cloud services in 2021, but did not have executive management sponsorship, never waste a good crisis. This is another reason to look at transitioning your on-prem email and online collaboration solution to a SaaS solution.