Microsoft Hack 2021: Exchange Server Exploit

Concerned You May Have Been Breached?

Start Your Investigation Now

  • This field is for validation purposes and should be left unchanged.

Microsoft Hack: What Happened?

On January 6, 2021, researchers from Volexity identified an attack targeting Microsoft Exchange 2013, 2016, and 2019 servers. Malicious actors, which Microsoft have identified as a state-sponsored Chinese group dubbed Hafnium, took advantage of a server side request exploit to gain access to organizations’ on-premise Exchange servers.

This vulnerability has been identified as a zero-day exploit, which simply means that it was not identified prior to hackers exploiting it to gain full access to the servers. Unfortunately, much like Solarwinds, the full effect of this attack is still unknown.

What Does This Exploit Mean for Organizations with Exchange Servers?

This attack was so wide-spread, anyone currently utilizing an on-prem Exchange server should assume it has been compromised.

This exploit allowed hackers to gain full machine-level access to the Exchange server they were targeting. From there, they could gather passwords and other information that may have allowed entry to other areas of the victim’s network.

In the event the attacker is able to move laterally to other machines, the organization becomes vulnerable to further attack, which may include ransomware or data exfiltration. In addition, the hacker could create a backdoor to the network, which would allow remote access even after patches have been applied.

Next Steps to Protect Your Network

The first step is to patch your server and look for indicators of compromise (IOCs). Microsoft has already provided patches and access to tools to test whether or not your server is still vulnerable.

While it’s easy to apply these patches, it is also essential to take the proper investigative measures to ensure that there isn’t a persistent threat, confirm data has not been exfiltrated, and determine whether or not the hackers were able to move laterally to other machines on your network, if possible.

In addition, you need to consider what vendors or third-parties have access to your network. Similar to the Solarwinds attack, if your vendor was compromised, there is a chance the hacker may have the information needed to exploit your organization’s network.

When it comes to mitigating risk right now, organizations should partner with a trusted advisor to perform a forensic investigation. This would include collecting and analyzing log data to search for threats such as backdoors, persistent communications, and lateral movement across your network.

In addition, a trusted advisor can assist with implementing custom, proactive solutions such as performing a configuration audit, conducting a penetration test, or implementing real-time monitoring via a SIEM solution. They can also provide guidance on ways to further protect your data moving forward.

Share on linkedin
Share on facebook
Share on twitter
Share on email

  • This field is for validation purposes and should be left unchanged.

Microsoft Exchange
Forensic Investigation and Configuration Audit


Investigate the HAFNIUM Exploit and Close Security Gaps

  • This field is for validation purposes and should be left unchanged.