If you are responsible for privacy compliance at an organization, and have not yet been involved in the response to a major security threat to Microsoft Exchange servers over the last week, it’s probably time to have a talk with your counterparts in IT or Security.
Technical Details of Attack
- CISA Emergency Directive 21-02 Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- Microsoft Security Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft Security Center: Multiple Security Updates Released for Exchange Server
- Volexity: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
The Story So Far
IT and Security professionals have been dealing with a very serious attack recently that, in addition to security concerns, could have serious implications for privacy programs. On March 2, Microsoft announced a number of vulnerabilities in Microsoft Exchange. This is a multistep attack chain that exploits multiple, and previously unknown, vulnerabilities. The attack combining these exploits, which is being referred to as “Hafnium,” was being actively exploited by what is believed to be a Chinese cyber espionage group. Additional technical details are available, but the bottom line for those of us working in privacy is that the impact of these exploits is critical as entire email systems could have been compromised, backdoors may have been created in the network, and data could be exfiltrated.
The attack has also cast a wide net and it is believed that possibly 30,000 organizations have been compromised in the United States alone. However, just as with Solar Winds, it is not clear how many of those organizations have actually had these backdoors used or data exfiltrated. It is possible that these threat actors were somewhat selective in regard to the information they were seeking. It appears the attacks started in January; however, as soon as the attack became public it appears that the hackers greatly increased the pace of their operations. Moreover, now that the attack is known, other threat actors are likely to either exploit these vulnerabilities to install their own backdoors or exploit the existing backdoors. It is likely that additional attacks, including more traditional profit-motivated attacks such as ransomware, are imminent.
Microsoft has released patches that address these vulnerabilities and there are tools available to help determine if your organization had been impacted by this attack. Organizations with vulnerable servers must deploy the patches that address this vulnerability. However, patching the servers is not sufficient if they have already been compromised. Your IT and Security teams have likely been busy patching, scanning, examining logs, trying to determine if servers were actually compromised, and trying to identify if information was exfiltrated.
If you haven’t yet heard from or been engaged by IT or Security regarding this situation, you should start the conversation. There are several key pieces of information you should be looking for initially to determine if your organization was impacted:
- Was your organization potentially vulnerable to this attack?
- Do you run any of the impacted versions of Microsoft Exchange?
- If yes, what has been done to remediate the situation?
- Have all of the patches provided by Microsoft been deployed to all potentially vulnerable servers? If yes, when was deployment of these patches completed?
- Has a search been performed to identify any web shells? Have any been found?
- Has the Exchange product log been analyzed for any IoCs (indications of compromise) using the script issued by Microsoft?
If web shells were identified or IoCs were found in the Exchange logs, your organization will need to undertake a forensic effort to determine if any data was exfiltrated and probably engage in a broader effort to ensure the integrity of the network.
If data has been exfiltrated, from a privacy perspective the most likely risk is the loss of a user’s emails to the attacker. An organization’s emails can represent a dizzying array of proprietary, confidential, personal, or otherwise regulated information, presenting a host of issues for privacy professionals to address. You will need to work with others in the organization, such as IT, security, or outside forensic firms to determine exactly what data may have been accessed and exfiltrated.