Microsoft Exchange Server Hack Shows Why Risk Assessment Is Key to Data Security


In early March, the Chinese-connected group HAFNIUM attacked organizations around the globe.The attack, focusing on the web-facing component of Exchange, could have been prevented. Microsoft knew about the vulnerabilities and related attacks earlier in 2021 and took steps to include patches in its March 9 Patch Tuesday delivery.  

It is difficult for organizations to manage email security risks and, in this attack, unauthorized access to Active Directory content when major flaws exist in widely used software. However, most organizations were protected from the attacks by using one of two approaches to delivering Exchange services.

The Attack

HAFNIUM, a Chinese government-supported hacking group, uses four vulnerabilities in Outlook Web Access and Exchange to compromise Exchange servers. Microsoft reportsOpens a new window that the attack begins with HAFNIUM leased servers in the U.S. authenticating as an organization’s email servers. The attackers are then able to run malware as SYSTEM. This enables them to write files to any path on an organization’s Exchange servers.  

Once an Exchange server is compromised, HAFNIUM can run its software as an administrator. This enables the attackers to steal email content and download LSASS (Active Directory) data from memory. They also download the organization’s internal mailbox that contains information about each employee.

This attack is intended to last long-term. Part of the attack includes installing web shells. The use of web shells, a common attack tool, allows HAFNIUM continued access.

Learn More: Microsoft Fixes Four Zero-Day Bugs in Exchange Servers Exploited by Chinese State-Sponsored Hackers 

Microsoft was Informed Before the Mass Attack

Brian Krebs describedOpens a new window multiple notifications to Microsoft about the looming attack.  

    • DEVCORE notified Microsoft on January 5 of two of the four vulnerabilities used by HAFNIUM. They claim that Microsoft did not respond, so it appears that management at Microsoft was not overly concerned.
    • Volexity identified attacks using the two vulnerabilities reported by DEVCORE on January 6. They notified Microsoft on February 2.  
    • Dubex also discovered that some of its clients were attacked on January 18 and reported Microsoft’s attacks on January 27.

On February 26, HAFNIUM began mass scans to initiate attacks. Even though attacks were reported to Microsoft as early as February 2, Microsoft planned to wait until March Patch Tuesday, March 9, to make the customers’ patches available. However, Microsoft made the patches available on March 2 due to many reported scans for the known vulnerabilities.  

It is not clear why Microsoft decided to wait until a scheduled patch day, knowing that attacks were already underway.

Ryan Sherstobitoff, writingOpens a new window for SecurityScorecard, reports the number of organizations affected by the HAFNIUM attack is likely far lower than the more than 30,000 widely reported. Instead, SecurityScorecard was only able to find about 18,000 organizations with public-facing Exchange services (including instances of Outlook Web Access) globally that were vulnerable. As of March 15, they were only able to identify 302 compromised organizations.

Do Not Allow Public Access to Exchange

Microsoft provides two approaches to preventing direct access to mail servers: Exchange Online and the use of an Exchange Edge Transport Server. Exchange Online, an increasingly popular business email solution that is part of Microsoft 365, was unaffected by the HAFNIUM attack. This infers that Microsoft takes steps to prevent public access to its mail servers as we’d expect.

The use of Exchange Edge Transport servers in the enterprise also prevents public access to Exchange Mail servers. Edge Transport is a server role that an organization installs on a device placed in the DMZ. This prevents the direct access to email servers that is necessary to enable the HAFNIUM attack. It also helps protect access to Active Directory information via Exchange.  

Is it possible that because these two secure approaches to using Exchange are widely used, Microsoft is less focused on protecting direct access to Exchange server software in the code?

Based on the SecurityScorecard research, it appears that the majority of organizations using Exchange had taken appropriate steps to protect their email servers from this type of attack. This includes switching to Exchange Online.  As a security manager, I would have certainly taken steps to prevent public access to my mail servers. Email is considered one of IT’s most essential services, and access to Active Directory information is entirely unacceptable.  However, Microsoft cannot assume that organizations will do this.

Security teams have to rely on vendors to keep their products secure. Risk assessments assume that third-party products are reasonably safe or quickly updated if the likelihood of attack elevates to concerning levels. These assumptions carry weight when deciding how to spend often limited budget dollars and when preparing for incidents. This is particularly true for smaller organizations with limited resources. 

Learn More: Microsoft Rolls Out Automated Mitigation Tool to Patch Exchange Server Flaws  

The Final Word

Microsoft provided Exchange software with serious security flaws. It is never possible to remove all defects.  However, chains of vulnerabilities that enable attacks against mailboxes and LSASS data are obvious attack vectors Microsoft should test before software release.

As a security director, I worked with the development and QA teams to create test plans based on probable attack paths against critical information resources.The test plans included attack vectors identified through cross-team brainstorming sessions. It was not perfect, but we were confident that we had covered enough that our incident response would fill in the gaps.  

Vendors like Microsoft have to at least work in the same way. I am sure Microsoft teams work hard to “get it right,” but they have to do better.

On the other hand, organizations cannot assume that vendors do everything right. Consequently, risk management activities must include taking steps to prevent public access to any high-value information asset. There is little reason for organizations to continue to allow just anyone to access their mail servers.  

For those businesses that want to continue hosting Exchange in-house, the Edge Transport role is a good approach. There are also third-party products and firewall/IPS configurations that can help control the traffic generated by the HAFNIUM attack et al. Small businesses without the resources to manage these controls should seriously consider moving to Exchange Online.

Do you think organizations should double down on third-party risk assessments? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!