What is going on?

Microsoft and Cyber Security agencies have discovered that security vulnerabilities in Microsoft Exchange are being actively exploited across the UK and rest of the world by the Chinese-backed hacking organisation HAFNIUM. Microsoft admit that this has been discovered quite late and Cyber Security agencies are warning that thousands of organisations may already be affected.

The vulnerabilities are only impacting on-premise Exchange Servers and does not impact Exchange Online / Microsoft 365.

What versions of Microsoft Exchange is impacted?

Microsoft have confirmed that the vulnerabilities affect:

  • Microsoft Exchange Server 2019
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2013
  • **Microsoft Exchange Server 2010

** Microsoft Exchange Server 2010 includes related code that may also be vulnerable.

How to mitigate the security crisis

Microsoft have released security patches for all impacted Microsoft Exchange servers.

Install the latest Windows Updates batch on your Microsoft Exchange servers. This will plug up the entry point available to the malicious parties.

Microsoft have released a blog post that they are frequently updating with mitigations that can be applied to the Exchange servers: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901.

How can I tell if we have been already compromised?

It would appear that Microsoft are recording the observed indicators and publishing this within the following post: HAFNIUM Targeting Exchange Servers.
This article covers the issue in more depth, if it is a bit overwhelming we are happy to assist in investigating and identifying if your Exchange installation has been compromised.

The article also contains advanced hunting queries that can be applied to Microsoft Defender for Endpoint and Azure Sentinel products. For other products, I would recommend contacting your AV provider and query if they are also updating their signature database to identify the Indicators of Compromise (IoCs).

How to remediate the issue

Microsoft are recommending the use of their Microsoft Support Emergency Response Tool (MSERT) / Microsoft Safety Scanner. I would give this a go, however if you have any backups I would consider restoring your Exchange environment to previous date where it has not been tarnished and running the scanner or AV to confirm.

Permanent Solution

What has been evident during this fallout, is that Microsoft Exchange Online / Microsoft 365 has not been impacted by this vulnerability. Potentially, it is due to this being patched immediately after the issue was identified. I would recommend in light of this, to consider migrating existing Microsoft Exchange solutions to Microsoft 365 as it is at less risk of impact from future vulnerabilities and is renowned to be a highly reliable service with high uptime.

We do offer Microsoft 365 Migration services and you can read further into the benefits of Microsoft 365 here. If you would like to discuss this further, please contact 01684 215165 or email info@spectrum-it.uk.