Four zero-day vulnerabilities in Microsoft® Exchange Server are being actively exploited by multiple actors, including the state-sponsored threat group, Hafnium. The group lures prey through U.S. Virtual Private Servers (VPS) to mask its true location. It is estimated that the group breached nearly 60,000 Servers globally, primarily targeting organizations and their emails starting as early as January 6th, 2021.
After attaining stolen credentials information gathered in the reconnaissance stage, Hafnium deployed a malicious web shell to execute commands remotely, add user accounts, and steal copies of the Active Directory database. Once active, the group maintained control and moved laterally by enacting ProcDump, an application for dumping all credentials in the Local Security Authority Subsystem Service (LSASS). This process handles enforcing security policies in the system and handling access across the server. Endpoints are vulnerable entry points in individual end-user devices such as mobile devices, laptops, servers, and virtual machines. In this case, multiple actors broke into the Microsoft Exchange Server endpoint. By enforcing server malware detection and security monitoring on business applications, endpoints are protected from unauthorized access.
At this time, Microsoft has released tools to detect and remediate the massive hack. However, a defensive approach alone won’t limit the blast radius. Preventive action is the next step to avoid future security friction and impact.
CyberGRX’s MITRE® Threat Profile categorizes gaps based on business structure and industry to enable customers and vendors across multiple industries to get visibility and prevent and halt future threats. With the rise of supply chain threats, CyberGRX tracks associated attack methods and prioritizes critical controls for prevention.
Here are the gaps addressed by our MITRE Threat Profile:
Capturing User Log Activity
By leveraging personal credentials and information on employees, the adversary scoped and developed an open-source framework to target the Microsoft Exchange Server environment. Beyond this, the threat actor was able shield traffic and pass through using a VPS. One of the first layers of defense against attackers and unauthorized access to your server is a firewall to analyze traffic makes decisions as to which traffic should be allowed to pass or which traffic should be stopped.
3.1.1 Collect - Data Ingestion and Management: Ingest internal and external data sources into security monitoring and analytics platforms.
3.2.1 Assess - Security Alerting and Analytics: Leverage data from security monitoring and analytics platforms to alert on known signatures, unknown attacks, and abnormal behavior.
2.1.4 End User Behavior Activity Monitoring: Capture and record end user activity to enable alerting and investigation of potentially malicious behavior.
5.2.3 Database Activity Monitoring: Monitor database access and activity to find potentially malicious activity.
7.2.2 Network Firewalls: Use network firewall capabilities to provide a layer of perimeter defense against malicious network attacks.
The security gaps found in the Microsoft Exchange Server breach can be traced back to the lack of access controls aimed at limiting access to system resources. Organizations can manage system and network access through an integrated and standardized access management program.
3.2.3 Credential Standard: Establish an authentication standard that protects against unauthorized access to information and systems.
3.1.6 Entitlement Suspensions: Suspend entitlements in response to policy violations or anomalous behavior.
3.1.2 Least Privilege: Grant entitlements to system resources based on the principle of least privilege, ensuring users only have the access necessary for their role.
3.1.3 Segregation of Duties (SoD): Consider segregation of duties (SoD) when granting access to system resources, avoiding potential conflicts of interest that could increase the potential for compromise or fraud
3.2.9 Email Authentication: Use strong email authentication methods such as DKIM and SPF to enable improved filtering for SPAM, phishing, and other malicious email.
3.3.1 Access Management Program: Manage system and network access through an integrated and standardized access management program.
3.3.3 Access Provisioning: Utilize a standard access provisioning process to ensure user access is provisioned across the enterprise.
7.3.1 Security Staff Training: Establish a robust security training framework to acquire and maintain the skills necessary for effective job performance, career growth, and retention of security talent.
The zero-day vulnerabilities exploited have been in the Microsoft Exchange Server code base for more than 10 years. With access control across the server, the threat actor archived and scraped customer data by exploiting the public-facing application as well as leveraged server access as a launchpad for malware distribution.
To defend against future zero-day risks, it’s important that organizations take actionable events to find, prioritize, and remediate risk that can be found through penetration testing. Threat actors leave traces of evidence. Attack patterns and behavior can be monitored to allow room for patching weak points across the server.
2.2.3 Penetration Tests: Conduct penetration testing to identify security vulnerabilities (e.g. staff, systems, and facilities)
2.3.1 Vulnerability Prioritization: Build a vulnerability prioritization framework that effectively and quickly prioritizes the vulnerabilities across all asset classes in the environment.
2.3.2 Vulnerability Remediation: Remediate identified vulnerabilities in the environment.
2.3.3 Patch Management: Establish a patch management program to reduce the risk of vulnerability exploitation.
CyberGRX helps you protect your organization against current and future security vulnerabilities like this Microsoft Exchange Server cybersecurity incident. Our innovative tool, Framework Mapper, allows you to map our award-winning assessment back to both custom and industry frameworks to instantly gain visibility into controls coverage, measure data protection policies and standards of third parties, and drive remediation workflows.