HAFNIUM Microsoft Email Attack

8 Mar 2021 | News

Over the last few days, you may have read about a zero-day attack impacting Microsoft Exchange Servers.

We became aware of this vulnerability on Wednesday last week (it was discovered on the 2nd in the USA so we were on to it immediately, allowing for time-zones) .  We were getting updated advisories as they became available.

 

For most of our clients, this vulnerability has NO IMPACT

Most of our clients now use Microsoft 365 for their email. These are un-affected. The attack only impacts on-premise Exchange servers, of which there are relatively few left.

Microsoft released an urgent service pack and we applied that immediately to all Exchange servers under KARE and contacted all other active clients who have Exchange. These patches prevent the infection from spreading but don’t remove it if the server was already infected.

We checked and rechecked all servers we maintain and while at first glance, we thought there was only one server impacted and subsequently, further research, newer information and deeper testing has revealed more.  This has been insidious and we keep learning more all the time.  We are working with all impacted clients to clean these servers up.

 

The Good news

At this point, all Exchange servers that Kinetics maintains are passing the necessary tests to indicate they updated and patched.

Anecdotally, from our connections with other IT firms, it looks like about 75% of Exchange servers checked were found to have been infected.

State-Sponsored Event?

There was commentary that this was a co-ordinated attack out of China intended to spy on its victims. If this is true, then there it would seem to be part of a pattern of growing IT terrorism on a global scale.

As we keep reminding readers, no one can guarantee that you won’t be attacked (actually we can pretty much assert that everyone IS being attacked) and no one can guarantee that an attack won’t be successful. But we can take all reasonable steps to reduce the risk.

This highlights the need to be vigilant and to keep adding more security layers as they become available, like KARE for Security and the enhanced security service we are launching later this month (23rd March)

State-Sponsored Event?

There was commentary that this was a co-ordinated attack out of China intended to spy on its victims. If this is true, then there it would seem to be part of a pattern of growing IT terrorism on a global scale.

As we keep reminding readers, no one can guarantee that you won’t be attacked (actually we can pretty much assert that everyone IS being attacked) and no one can guarantee that an attack won’t be successful. But we can take all reasonable steps to reduce the risk.

This highlights the need to be vigilant and to keep adding more security layers as they become available, like KARE for Security and the enhanced security service we are launching later this month (23rd March)

 

For the technically-minded:

  • The vulnerability exploited four newly discovered vulnerabilities in Microsoft Exchange CVE-2021-26855, CVE-2021-26857 CVE-2021-26858 and CVE-2021-27065)
  • Hafnium is named after the element Hf, number 72 on the periodic table. It’s classed as a metal and is used in semi-conductors and it has been used in control-rods in nuclear reactors to absorb neutrons.

 

References :

HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
New nation-state cyberattacks – Microsoft On the Issues
China’s and Russia’s Spying Sprees Will Take Years to Unpack | WIRED
Microsoft email users in NZ told to act quickly after mass hack – NZ Herald