What is ‘Hafnium’ and what do I need to know?

What is ‘Hafnium’ and what do I need to know?

Hey everyone, Adam here! On March 2nd Microsoft shared the news that a nation-state actor has been observed gaining unauthorized access to Microsoft Exchange servers worldwide. The cybersecurity community has been laser-focused on this ever since the news broke. Naturally, the bad guys, in this case, the Hafnium group and cybercriminals have been scrambling to exploit the vulnerabilities.

But what does all this mean and how does it impact your business? Before we can get into the lessons we can learn, we must break down some of the events around the incidents. We’ll also share some helpful links at the end as well.

What is Hafnium and what are they up to?

Hafnium is the name of the state-sponsored group that has been observed targeting entities in the US for their gains. This group is a highly skilled and sophisticated attacker.

Hafnium has been observed leveraging security vulnerabilities in Microsoft Exchange to gain access to a company’s email resources. Microsoft Exchange is the name of the on-premise email software used by hundreds of organizations worldwide. If your organization has ever had email infrastructure hosted internally, you’ve used Exchange. Once they gain access, they can harvest emails, or worse, gain further access to a breached organization.

How bad is this?

Within days of the disclosure, reports indicate that upwards of 30,000 servers and growing have been compromised. Even worse – other bad guys figured out how to use the vulnerabilities for their own purposes. Researchers have seen common tactics often used by ransomware groups occurring as more bad guys gain access to systems. While it’s too early to say exactly what the future holds, the ramifications of unauthorized access to such critical systems can be paralyzing for organizations.

What is Microsoft doing about this?

Microsoft immediately released security updates to all impacted products and advised organizations to immediately install these patches. The Cybersecurity and Infrastructure Agency (CISA) followed suit and issued emergency guidance echoing Microsoft’s statements to patch immediately as well. Microsoft and other security researchers have also released tools and guidance to see if an organization has been compromised.

Have I been compromised?

That’s a great question for your IT folks.

If you use Office 365 for your email – you’re in good shape. However, if your organization uses Exchange 2010 – 2019 you’re at risk. Microsoft, among other cybersecurity professionals, has released plenty of tools to assess whether you’ve been compromised. If your organization has been compromised, your IT folks should be running through their incident response procedures and coordinating with the appropriate partners.

What comes next?

Well, that’s difficult to say. We have a lot more to learn about the motivations of those leveraging this exploit, we do know that this will not be an isolated incident. We will see more incidents of other major security vulnerabilities and actions by malicious entities. Therefore, security needs to be a part of the decision making process for your IT infrastructure and your company culture. If you’re interested in some lessons and takeaways from this vulnerability please see our blog for more.

 

Links

https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.cisa.gov/ed2102

https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

https://www.scmagazine.com/home/security-news/data-breach/as-hafnium-timeline-crystalizes-signs-of-new-microsoft-exchange-server-attacks-emerge

https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

https://arstechnica.com/gadgets/2021/03/ransomware-gangs-hijack-7000-exchange-servers-first-hit-by-chinese-hackers/