POZNAN, POL – SEP 23, 2020: Laptop computer displaying logo of Microsoft Exchange, a mail server and calendaring server developed by Microsoft

A cyberattack affecting thousands of users of Microsoft’s Exchange email server has left the tech giant scrambling this week to patch the vulnerabilities being exploited by the hackers. A Chinese state-sponsored group, Hafnium, is thought to have started the attack, and with more criminals now joining the party, businesses, particularly smaller organisations, could feel the impact of the breach for months to come. But, ironically, the hack could help Microsoft achieve its ambitions in the cloud.

First spotted in January by analysts at Volexity, zero-day vulnerabilities in Exchange allow hackers access to Exchange email accounts without any authentication credentials. They can use this to steal information or launch further malware deeper into victims’ systems. The vulnerabilities affect current and legacy versions of Exchange, and though Microsoft has released a raft of patches over the past week, cybersecurity company Censys says more than 50% of the 250,000 Exchange servers visible online remain unpatched and exposed to potential attacks. Meanwhile, other hacking groups have joined Hafnium to take advantage of the issue, with at least ten criminal organisations thought to be mounting attacks.

The vulnerabilities exposed by the attack are “significant and need to be taken seriously,” according to Mat Gangwer, senior director at Sophos Managed Threat Response. He told Tech Monitor: “The broad installation of Exchange and its exposure to the internet mean that many organisations running an on-premises Exchange server could be at risk.”

Victims are thought to number tens of thousands of organisations, including high-profile institutions such as the European financial services regulator the European Banking Authority. Microsoft says Hafnium “primarily targets entities in the United States”, and an analysis of just under 1,000 infected samples from the current attack by cyber defence provider Malwarebytes would appear to back this up. It shows the majority come from companies based in the US, although targets are spread around the world.

Hafnium Exchange Server attack: how it happened

The attackers “are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells,” says Gangwer. A web shell is a small malicious script that is implanted on vulnerable and exploited exchange servers. “It works by taking commands or instructions from the threat actor and executing them locally on the affected device,” he explains. “They are traditionally used to maintain persistent access to a device over a period of time.” Web shells are by no means a novel technique, but, Gangwer says, “what stands out with this specific attack is the magnitude of affected devices, and how these web shells could be used in the future if not removed”.

Small businesses could suffer

The extent of the breach and the number of customers affected has led Microsoft to release patches for older versions of Exchange that are no longer supported. Organisations can find all available patches here.

However, these are unlikely to put an end to the problem: while software updates can stop future breaches, they do nothing about the damage that has already been done. “Remediation can be extremely challenging,” says Brett Callow, threat analyst at Emsisoft. “It took A1 Telekom, Austria’s largest ISP, more than six months to evict hackers from its environment.”

Callow says few small businesses have the expertise to work out whether they’re compromised. “This is a time when governments need to step up and provide organisations with the advice and tools they need to be able to secure their networks,” he adds. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued advice that includes a test that businesses can use to see if their network is infected.

Gangwer’s advice is to review server logs “for signs that an attacker may have exploited their Exchange server.” He says: “Many of the current known indicators of compromise are web shell-based, so there will be file remnants left in the Exchange server. An overview of files and any modifications to them is therefore important. If you have an endpoint detection and response product installed, you can also review logs and process command execution.”

Long-term impact of Hafnium: could Microsoft cash in?

Microsoft’s Office 365 cloud-based email is unaffected by the attack, the tech giant says, which will be some comfort to the many businesses that have already moved their email provision to the cloud. Though these services are not without their own security risks, data from Eurostat shows that 76% of EU companies using cloud computing are running cloud-based email servers, making it the most popular applications of cloud computing.

Security expert Dmitri Alperovitch, co-founder and former CTO of cyber defence business Crowdstrike, believes organisations that haven’t yet patched their servers should consider moving into the cloud, stating on Twitter that they have demonstrated they are “not capable of managing the difficulties of running on-prem infrastructure”:

Cloud computing is central to MSFT’s strategy for the future, and the impact of the Hafnium breach may make customers more open to switching to cloud-based email servers such Office 365 or Google’s Gmail as they continue their digital transformations. With a spike in demand for its security products also possible, as organisations reassess their defences, Microsoft could yet find it profits from what has been a difficult period for the company.