It the last couple of days it has came to light that a group known as Hafnium have been attacking and exploiting locally hosted Microsoft Exchange servers.
Hafnium is a Chinese based hacker group with ties to the Chinese government that is relatively new but still have been incredibly impactful in a short amount of time. The first traces of Hafnium were in January of 2021 when they first started exploiting Microsoft Exchange servers.
In the most recent wave of attacks the Hafnium group changed their approach from being more stealthy targeted attacks to a broad range of targets and a extremely high volume of attacks.
The main wave of attacks accrued between February 26 and March 3, and targeted any internet exposed local Exchange servers it could find. The attack was extremely affective and was able to exploit over 30,000 organizations in the US. The organizations ranged from small hotel chains and an ice cream company to local city and county governments, healthcare providers and also banks. Anyone with a on-premise Exchange server that was visible from on internet during the wave of attacks was targeted should assume that they were compromised and begin incident response.
Another attacker has also been trying to piggy back off the Hafnium attacks by trying to activate the virus that would have been left by Hafnium and have it connect to them instead of the original Chinese hackers, so it important to check for unwanted files even after patching the server because if any of Hafnium's malicious files are still on your server then you are still open to attacks.
It is not fully known what the main goal of this attack was, but it is known what this attack can do. Once an attacker has access to the Exchange server, they will be able to view any email sent or received by your company's domain and they will also be able to use the comprised server as a pivot point for moving further into your company's network and compromising other machines that weren't public to the internet.
At Firestorm Cyber, we can help if you feel like you've been compromised. We will set up advanced firewalls using Sophos technology to block any threat actors that might be sending malicious traffic on your network. We will make sure your organization is safe and secure from attacks like this one and other attacks like ransomware. We can also move you from an on-site Exchange server to the cloud, increasing email security and reliability. If you want to take the next steps to protect your company, contact us