Home / About / Insights / SECURITY ADVISORY - HAFNIUM 0-Day Exchange Server Attack

Published: 3rd March 2021 | In: Threat Intelligence & Advice

News has broken today of a new attack discovered by Microsoft against Exchange Server. Quorum Cyber have produced the below Quick Info to get you updated with what you need to know and what you need to do to protect yourself from this threat.

What is it?

Microsoft have discovered ongoing attacks against Exchange Server 2010, 2013, 2016 and 2019 utilizing 0-Day vulnerabilities. Microsoft have attributed this attack to HAFNIUM. The threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

This attack is directed at Exchange 2010, 2013, 2016 and 2019 and does not affect Exchange online (Office 365). However, you may still be affected if you are running a hybrid deployment.

What is the Impact?

Potentially disastrous; if unpatched this vulnerability has the ability to allow attackers onto your Exchange servers with SYSTEM level access, leaving your email fully controlled and the threat actor with a strong foothold to attack your domain and Active Directory environment.

Are my systems vulnerable?

Microsoft have released patches on the 2nd of March. Please check your Exchange server health via this GitHub script.

Quorum Cyber Managed Services customers are already being actively threat hunted and vulnerability scanned.

How do I mitigate this threat?

Apply patching as per this Microsoft article, this should be applied immediately regardless of the downtime as this poses an immediate, real threat.

Further Information

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901