Microsoft Exchange
Forensic Investigation and Configuration Audit
Start Your Investigation Now
On January 6, 2021, researchers from Volexity identified an attack targeting Microsoft Exchange 2013, 2016, and 2019 servers. Malicious actors, which Microsoft have identified as a state-sponsored Chinese group dubbed Hafnium, took advantage of a server side request exploit to gain access to organizations’ on-premise Exchange servers.
This vulnerability has been identified as a zero-day exploit, which simply means that it was not identified prior to hackers exploiting it to gain full access to the servers. Unfortunately, much like Solarwinds, the full effect of this attack is still unknown.
This attack was so wide-spread, anyone currently utilizing an on-prem Exchange server should assume it has been compromised.
This exploit allowed hackers to gain full machine-level access to the Exchange server they were targeting. From there, they could gather passwords and other information that may have allowed entry to other areas of the victim’s network.
In the event the attacker is able to move laterally to other machines, the organization becomes vulnerable to further attack, which may include ransomware or data exfiltration. In addition, the hacker could create a backdoor to the network, which would allow remote access even after patches have been applied.
The first step is to patch your server and look for indicators of compromise (IOCs). Microsoft has already provided patches and access to tools to test whether or not your server is still vulnerable.
While it’s easy to apply these patches, it is also essential to take the proper investigative measures to ensure that there isn’t a persistent threat, confirm data has not been exfiltrated, and determine whether or not the hackers were able to move laterally to other machines on your network, if possible.
In addition, you need to consider what vendors or third-parties have access to your network. Similar to the Solarwinds attack, if your vendor was compromised, there is a chance the hacker may have the information needed to exploit your organization’s network.
When it comes to mitigating risk right now, organizations should partner with a trusted advisor to perform a forensic investigation. This would include collecting and analyzing log data to search for threats such as backdoors, persistent communications, and lateral movement across your network.
In addition, a trusted advisor can assist with implementing custom, proactive solutions such as performing a configuration audit, conducting a penetration test, or implementing real-time monitoring via a SIEM solution. They can also provide guidance on ways to further protect your data moving forward.
