Hafnium’s Scorched-Earth Cyberattacks: A Sign of What’s to Come?

Posted by Joe Hannan on Apr 15, 2021 11:26:05 AM
Joe Hannan
Find me on:

GoVanguard-Blog Post 3-Graphic

Some people just want to watch the world burn. Never has that been more apparent than in the recent exploit of Microsoft’s On-Premise Exchange Server, a hack with massive implications. The perpetrators, it seems, may just want to sow chaos. 


Cybercriminals often have a narrow focus. Historically, that’s been the case with Hafnium, the people Microsoft says are behind the OWA breach. Until now, Hafnium’s game has been to hack infectious disease researchers, law firms, defense contractors, policy think tanks, and NGOs to steal and distribute, or ransom, their intellectual property. With the Exchange exploit, Hafnium is going for quantity, according to KrebsonSecurity. So far, about 30,000 public and private institutions have been breached. But globally, CBS reports that the number is in the hundreds of thousands. 


Understanding the tactics 

Krebs calls this mass ransomware. The attack exploited a since-closed vulnerability that allowed Hafnium to install “webshells, which you can think of as backdoors to an infected computer or server. According to Cybersecurity & Infrastructure Security Agency (CISA), webshells are pieces of code that can allow a hacker to take over a machine, extract data and credentials, upload malware, or control a network. Once installed, a cybercriminal can use a webshell to cripple a company or steal its data, restoring access after the company pays a ransom. 


Most medium- to large-sized businesses have migrated to the more secure Office365, leaving On-Premise Exchange mostly to small businesses, police departments, city and state governments, hospitals, and individuals. By turning on the OWA exploit, Hafnium may be going for quantity. It’s also possible something more nefarious is afoot.  


Hafnium is a Chinese group of hackers. This fact largely would be inconsequential if the attack didn’t occur amid increasingly tense diplomatic relations between the U.S. and China. Recently, Admiral Philip Davidson testified before the Senate Armed Services Committee, sounding the alarm that China may move to take Taiwan within the next six years. 


“I worry that they’re accelerating their ambitions to supplant the United States and our leadership role in the rules-based international order,” Davidson said. “They’ve long said they want to do that by 2050. I’m worried about them moving that closer.” 


Is cyberwarfare a component of China’s strategy? We’ve certainly seen nation states target one another with cyberattacks, the most recent example being the FireEye/SolarWinds breach, carried out by Russia’s S.V.R. intelligence service. Is the Exchange attack an act of cyberwarfare carried out by the Chinese Communist Party? Time will tell. But what better way to sow chaos than to disrupt the U.S. economy, government, and citizens from the bottom up? 


Inside the attack 

To understand the severity of this breach, consider that Microsoft typically follows a schedule for releasing fixes. Its Patch Tuesdays usually occur on the second and (sometimes) fourth Tuesdays of the month. The Exchange breach was so severe that Microsoft issued a patch on Tuesday, March 2 (not a Patch Tuesday)Microsoft followed this unusual move with a series of patches for out-of-date exchange versions. 


The cybersecurity firm Volexity caught wind of the breach in January and notified Microsoft. However, in the interim, CBS reports that Hafnium hackers have since used the webshells to steal passwords and install cryptocurrency-mining software on servers. A leak by a Microsoft security partner may have exacerbated the situation, and this leak may have signaled open season to other state actors, including Russia.  


Unfortunately, patches do not expel cybercriminals who have already gained access to systems. Over time, Hafnium could ransom compromised servers, sell them to other bad actors, use them as part of a larger distributed attack, or use them as part of an attack chain against the organization in the future.  


What to do about it 

 In short, if you’re a business owner, migrate your business to Office365. Office365 is an example of software as a service (SAAS), meaning you pay for a license to use the software, which is centrally hosted on a Microsoft server. The advantage with SAAS is that in this case, it’s Microsoft’s problem to keep that server and your data secure. Businesses running OWA must secure their own infrastructure, which is a challenge contingent on business size and resources. 


If migrating to Office365 isn’t an option, your next best line of defense is to install any and all Microsoft-issued patches. From there, continue (or begin) cloud-based backups to prevent data loss in the event of a ransom attack. CISA also issued the following guidance for federal agencies, which you can implement. 


  • Collect digital forensic images of your servers. These are complete backups that include content, unused space, and slack data. 
  • Scan all servers and digital assets for known vulnerabilities. 
  • Microsoft has issued a script that reviews all log files for indicators of compromise (IOCs). Run it, says CISA. 


The Exchange breach also represents another example of the importance of user security awareness training and good policy and procedures. If a user can’t access their account but didn’t recall resetting their password, is your IT investigating their identity and access logs? Also, your employees should know how to spot social engineering attempts and how to use proper password security. Furthermore, your IT department should establish a baseline for activity athe firewall and monitor for any changes, especially in unusual outgoing connections. Finally, if you aren’t using non-SMS-based multi-factor authentication, you should be.  


If you had the misfortune of running Exchange OWA during this attack, taking these steps will do little if you’ve already been breached. This is where working with an elite cybersecurity firm will pay dividends. Incident response is essential, but it’s only the beginning of the process. A good cybersecurity firm will eliminate any existing breaches and help you create a risk reduction plan, which might include penetration testing, social engineering testing, continuous security monitoring, and employee security training.  


We’re only a few months into 2021, and already we’ve seen two unprecedented security breaches originating from hostile nations. The implications are clear: Cyberwarfare likely will continue to escalate and affect those who previously have been insulated. We’re likely to see more cybercriminals, like Hafnium, who are content to watch the world burn. Prepare yourself and your business accordingly. 


Topics: hack, cybersecurity, information security, privacy, Data Privacy, pentesting, penetration testing

Recent Posts