Contents
Hafnium, a threat group allegedly sponsored by China, has attacked on-premises Exchange servers all over the world. The group exploited the authentication bypass vulnerability on unpatched on-premises Exchange servers to gain access to the servers. After gaining access, they installed web shells to remotely control the server and steal sensitive information, such as employees? email addresses and passwords.
In response to the Hafnium attack, Microsoft has released Exchange On-Premises Mitigation Tool (EOMT). The tool helps mitigate the risks to on-premises Exchange servers, on which security patches are not installed. The EOMT tool works with Exchange Server 2013, 2016, and 2019.
Hafnium Microsoft Exchange Breach ? Impact on Businesses
Hafnium targeted Small and Medium-sized Enterprises (SMEs) across the globe. SMEs are generally more vulnerable and affected by such malicious attacks due to the lack of cybersecurity rigor and expertise. They may also face significant challenges with investigating and protecting their systems from ransomware or malicious attacks due to lack of resources.
Unlike large enterprises, small businesses primarily rely on Microsoft security updates to secure their on-premises Exchange servers from vulnerabilities. However, patching the security flaws does not clear the aftermath of hacking. In the event of a malicious attack, such as the Hafnium episode, it is critical to investigate the server and swiftly remove the web shells, malware, etc.
How do you know that your Exchange Server is compromised?
To ascertain whether your Exchange Server is targeted by Hafnium, download and run Microsoft?s Exchange On-Premises Mitigation Tool (EOMT) via Exchange Management Shell. Microsoft has developed the one-click mitigation tool to address the ProxyLogon RCE vulnerability by helping find and remove web shells and malware installed on the compromised server.
The EOMT.ps1 script is located in the following location after you extract the zipped folder:
CSS-Exchange-main\CSS-Exchange-main\Security\src location
Navigate to the above location in EMS and then enter the following command to execute the EOMT.ps1 script:
.\EOMT.ps1
If the server isn?t compromised, install the patches and security updates released by Microsoft.
If the server is compromised, get in touch with the Microsoft support or contact a security vendor for support if you don?t have in-house security or incident response team.
Although the EOMT tool runs an MSERT scan, there?s a possibility that your server may still have web shells and malware or backdoors installed. And since many other threat actors are also exploiting the vulnerabilities, attackers can still access your server through these hidden web shells and backdoors.
Thus, it?s recommended to set up a new Exchange server. You can then export the mailboxes from your compromised server to a PST file and import the PST mailboxes into the database on the new live Exchange server via Exchange Admin Center (EAC). Also, reset all the passwords.
However, this process is not simple and may not work if the server has broken or crashed after the Hafnium attack. In such a case, you can use a third-party Exchange server recovery software, such as Stellar Repair for Exchange. The tool helps you extract mailboxes from the offline or crashed Exchange server database and export them to the mailbox database on the new Exchange server. It auto maps the source and destination mailboxes and helps you restore the mailbox connectivity with minimal downtime. If a mailbox is not found on the destination server, the software provides an option to create a new mailbox and map the mailbox manually.
Conclusion
Hafnium targeted small and medium enterprises, government institutions, and organizations worldwide. The extent of the breach was so significant that it led Microsoft to roll out security patches for unsupported and legacy Exchange server versions. However, by the time Microsoft released the patches, thousands of Exchange servers were already breached by Hafnium.
If your Exchange server has crashed due to the Hafnium attack, it is advised to set up a new identical Exchange server and then export the mailboxes to the new server by using an Exchange recovery software.
