In March, Microsoft detected multiple zeroday exploits being used to attack on-premises versions of its Microsoft Exchange Server, used by millions of people worldwide for email. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Microsoft Exchange Servers, enabling access to email accounts and allowing installation of additional malware to facilitate longterm access for victim environments.
The Microsoft Threat Intelligence Center attributes this campaign, based on observed victimology, tactics and procedures, to HAFNIUM, a state-sponsored group operating out of China. HAFNIUM operates from leased virtual private servers within the U.S. that are quickly abandoned once detected. A zero-day exploit is an attack against an unknown vulnerability within existing software. Once the vulnerability is known, it can be exploited by criminals as easily as climbing into an open window within a secure building.
Security experts estimate that approximately 60,000 organizations were affected by this exploit. We learned of the exploit via our peer group security network about seven hours before Microsoft announced it to the Microsoft Partner Network. To Microsoft's credit, the company provided patches to all existing on-premises Exchange versions, including 2010, 2013, 2016 and 2019. The attackers were attempting to export mailbox data and download the Exchange's offline address book from compromised systems.
Several days after the attack, Microsoft provided tools to detect it, but savvy IT administrators were able to create their own scripts to detect compromised systems before the release. It is worth noting that not a single security prevention or notification tool within the industry detected the intrusion beforehand. This shows the attack's level of sophistication. The attackers will use the information they gathered to increase targeted phishing attacks (known as spear phishing) in order to deliver a more lethal payload to exfiltrate even more data from U.S. companies. These attacks will most likely use spoofing to trick the email recipient into thinking the email was sent by a trusted internal colleague.
In order to protect yourself against this attack, we recommend that organizations add a header to each incoming email received from outside the organization. For example, CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In order to catch the attention of the recipient, the font of this text should be in red, and the word "caution" should be bold. It is imperative we acknowledge that no singular or collective set of security tools are sufficient to protect the critical data and trade secrets of companies. An organization should also continually invest in security awareness training for all individuals and use third-party companies that regularly simulate phishing and other email attacks.
Security awareness programs are randomized across the organization so one user cannot inform another of the time or type of simulated attack. The simulated attack records what links the user has opened and what type of email attack that person is most susceptible to, and then the security service schedules specific training for that user. While it is difficult to find company decision makers who will refute that this type of security awareness training is vital, it is even more difficult for them to invest the $15-$50 per month per email address to protect company data.
In the meantime, you should set up some kind of warning system for users when an email is sent from an external source. This type of security notification is free to implement by any IT team. However, it does not actually improve the security IQ of employees. As long as two-thirds of the security equation is the decision-making ability of the end user, security threats will be ever present and become increasingly sophisticated in the years ahead.
For more information, visit www.omnipotech.com or call (281) 768-4308.
