Application security, Breach, Data Security, Patch/Configuration Management, Vulnerability Management

As Hafnium timeline crystalizes, signs of new Microsoft Exchange Server attacks emerge

A surge of breaches against Microsoft Exchange Server appear to have rolled out in phases, with signs also pointing to other hackers using the same vulnerabilities after Microsoft announced a patch.

Last week, Microsoft patched four Exchange Server vulnerabilities being used by a hacker group in "targeted and limited" breaches. But as vendors rushed to patch systems, breaches did not appear limited at all. By Wednesday, Huntress Labs told SC Media it was seeing hundreds of breached servers. By the weekend, some researchers were speculating the number of breached systems could reach a hundred thousand.

"I think the statement made by Microsoft, that it was initially very targeted is probably correct; Hafnium or whoever is behind this, was very focused in their initial attack, prior to February 27th," said Tyler Hudak, who is leading the incident response effort for vendor TrustedSec. "On the 27th, that's when it moves to a much larger scale."

In that timeline, the first major wave of breaches may have occurred after Microsoft would have been working on the patch.

Several security vendors tell SC Media that Hafnium dropped web shells onto servers at a noticeable rate on February 27 and 28. But TrustedSec discovered that Hafnium hacked very few of the available targets, installing the web shells on a small subset of servers visited and scanned for vulnerabilities over those two days. The group would ultimately do the brunt of its hacking of the servers it found to be vulnerable a week later.

"It feels like an automated attack where someone ran a vulnerability scan on February 27 and 28 and then used a script on March 2 and 3 to physically return to the addresses to drop a web shell so they could go back in person later," said Hudak.

This, said Hudak, may explain why multiple versions of the same web shell frequently ended up on the same server – a detail first noticed by Huntress last week. Victims could have been hit during the early targeted attacks, the late February vulnerability-scanning period, and during the script-based attack in early March.

Still unclear is whether the script fired up before or after Microsoft announced the patches. A script might have been an attempt to squeeze as many footholds as possible out before potential targets patched.

New attacks, new tactics

Now in the wake of Hafnium, responders are reporting what appear to be other clusters of activity. That either means other groups are using the same chain of vulnerabilities or an offshoot of Hafnium is using wildly different tactics, techniques, and procedures in attacks after the announced patches.

Specifically, TrustedSec reported a botnet-like distributed vulnerability scan that some actor is using to discover vulnerable targets. Red Canary is tracking three distinct clusters of activity, using different procedures.

"We have a lot of questions about that right now. Was that just different adversaries dropping those web shells independently of each other? Were they working together as one adversary piggybacking off someone else's access? We don't know right now," said Red Canary director of intelligence Katie Nickels. "And so, in short, tracking the clusters of adversaries behind this is just a mess."

Microsoft would not comment on this story. Thus far the company has remained steadfast in emphasizing the need to patch the server vulnerabilities.

Nickels notes that patching may not be enough, given the opportunism of the hackers. Installing the patch does not disrupt malware already in place, and it's important to investigate exposure.

Hudak adds that in many cases, installed web shells were never used, so it's possible to have a web shell installed without any sign of exfiltration.

Nickels added that whether it was a hundred targeted attacks or 100,000 bulk victims, network defenders need to be treating this as a grave threat.

"Numbers aren't that important," whether 100 servers were targeted or 100,000, said Nickels. "Everyone needs to take this seriously. Regardless of whether it's China or not, t's a serious threat being exploited in the wild."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.