Hafnium Exchange Zero Day Attack: What You Need to Know & Do

By Tim Boivin

The breadth and depth of the multiple Zero Day vulnerabilities being used to attack Microsoft Exchange Servers around the world continues to swell with each passing day – already impacting anywhere from 20,000 to 30,000 organizations in the U.S. alone.

Adversaries can exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or launch other destructive attacks.

Organizations using Total Access Control (TAC) are not affected.

That is because the Server-Side Request Forgery (SSRF) cited in CVE-2021-26855 requires anonymous access to Exchange, something TAC does not allow.

The victims of the Hafnium Exchange hack run the gamut of vertical industries, including city and county governments, healthcare providers, banks and financial institutions, retailers, a university, an engineering firm, a telecom, and residential electricity providers, according to news reports. In Europe, the European Banking Authority took its email systems offline as a precautionary measure before restoring them.

As of March 5th, Huntress Labs was reporting that at least 800 Exchange servers around the world remained unpatched and “without the hotfix for an up-to-date CU version number.”

The anonymous SOAP request presented to the Exchange Server uses specially crafted cookies and bypasses authentication to execute the underlying request specified in the XML, allowing an attacker to then perform any operation on the user’s mailbox.

However, TAC requires all users to authenticate first to gain access to any server for which it is controlling access requests. In addition, TAC requires user authentication for access requests to the Exchange Web Service (EWS) API endpoint as well.

Thus, the anonymous, arbitrary HTTP requests presented to TAC would not allow the attacker to authenticate, either for the Exchange server or the EWS.

As with any security technology, organizations must not allow improperly secured alternate pathways to resources. These can take the form of direct access to resources from the local network, or other avenues like RDP or VPN connectivity that could bypass the strong protections offered by Total Access Control.

CISA Guidance

Because of the widespread and indiscriminate exploitation of these vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that all Exchange Server system owners complete the following steps:

Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.

Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.

Senior leadership should ask their IT teams:

  • What steps it has taken to address these potential vulnerabilities.
  • Whether the organization has the technical capability to follow the guidance cited above.
  • If it doesn’t have that capability, whether third party IT security support has been requested.

CISA also says that leaders should request frequent updates from in-house or third-party IT personnel on the progress that is being made in implementing the guidance outlined above until it is completed.

Please don’t hesitate to contact us at info@portsys.com to learn how TAC can prevent these kinds of Zero Day vulnerabilities across your attack surface that led to the Hafnium Exchange attacks.