Table of Contents
International threat risk increases
Started as an attack by Chinese hackers under the name Hafnium, an international threat risk is developing for Microsoft Exchange users.
After Microsoft published the attack pattern, the number of attackers exploded. In addition to American companies and authorities, Europe is also coming into the focus of the hackers.
The goal of the attacks is the extraction of data. Emails, contact data and internal company information are the prey. Vulnerabilities in the Exchange Server are used to transfer the data to file-sharing platforms. These can now be further used by the hackers. As primarily unpatched versions of the Exchange Server are of interest, this attack particularly affects smaller companies, authorities and institutions, according to US cybersecurity expert Chris Krebs.
After all, positive about these attacks: Not all hacks are successful. Automated or chaotically executed, these attacks hit different levels of security precautions. Internal settings can prevent greater damage here. Nevertheless, it is better to check and secure once more than to lose the basis of your business. If you have an Exchange Server in use, we recommend as a first measure to check the system according to the Microsoft published Instruction.
Have investments in security promoted?
Talk to us!
The approach of the hackers
The most common vulnerabilities were related to Exchange and the contact and address data. Through the vulnerability CVE-2021-26855 to simulate being the authenticated Exchange server as an http request could be gained access. Via a deserealization exploit CVE-2021-26857 could now execute malicious code (for example, webshells). This made it possible to export data. This data was exported via data write exploits (in particular CVE-2021-26858 and CVE-2021-27065) and compressed.
Even more serious, however, were remote access tools that were installed and could ultimately give the hackers access to the entire network. The PowerCat program was probably the primary tool used here.
A detailed description as a publication of Microsoft you will find here.
What measures to take?
Primarily, you should install the latest Microsoft security updates. Even Exchange without support is released by Microsoft for this purpose.
Then, as mentioned above, check to see if you have been compromised.
And in the long term: new techniques such as SIEM (link to our partner) can proactively make these attacks visible and enable initial countermeasures even without security updates. To prevent a new compromise, we recommend a review of the existing security measures and a possible strengthening of the same. We would be happy to advise you on the possibilities in this area.