Microsoft’s revelation that an allegedly China-backed APT dubbed HAFNIUM had abused four previously unknown security vulnerabilities to infiltrate email servers of scores of companies and exfiltrate entire inboxes caused waves when it first pushed out patches for the CVEs on Monday, March 1.
With those attentive to the threat scrambling to patch, the threat group ramped up its campaign, hacking organisations en masse. And a full week after the patches for the critical vulnerabilities landed, there were still over 125,000 unpatched servers facing the internet, Palo Alto Networks says.
Volexity, which first identified exploitation, says that cyber espionage operations abusing one of the bugs — SSRF vulnerability CVE-2021-26855 — started occurring on January 3, 2021. Now new ransomware is landing that abuses the bugs, Microsoft says, as others pile on — with the UK’s NCSC reporting that a “wide variety of threat actors are using automated tools to scan for Exchange servers where updates are not installed” then installing malware.”
And a heated row is brewing after Microsoft-owned GitHub pulled down a public proof-of-concept (POC) that revealed how exploit the vulnerabilities: (Some Blue Teamers/security professionals say such PoCs help them secure their infrastructure in the face of thin detail from Microsoft and that the move amounted to outright censorship of the security community. Others hold that early disclosure with such a wide range of endpoints still exposed is irresponsible.)
Exchange Server ransomware warning
Microsoft’s warning Friday March 12 that it had “detected and [was] now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers” was a stark reminder of how rapidly cybercriminals are able to pile on to publicly disclosed vulnerabilities: a public PoC for the full RCE exploit chain had landed on GitHub less than 10 days after the patches were released.
With Microsoft-owned GitHub rapidly pulling the POC off the code repository, the move sparked serious debate among security researchers about the ethics and utility of releasing proof of concepts that let attackers (or defenders) understand the full kill chain after a major bug is revealed.
(GitHub told Vice: “We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe…In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”
TrustedSec founder Dave Kennedy was among those vehemently disagreeing with the move by Microsoft. He said in a Tweet thread: “The details released by Microsoft on this exploit were lacking in almost every arena for defenders. When an exploit like this occurs, the more information defenders have, the better they are at responding and ensuring minimization of damage. Our IR folks were working collaboratively with other IR folks in the same situation and with little to no understanding of what was going on.
“The PoC we developed internally helped substantially in understanding the attack and being able to respond much to this threat. The PoC that was released and later torn down by Github was missing key elements of the exploit, and the associated blog post intentionally removing key elements to successfully reproduce this attack without substantial reverse engineering and exploit experience. I’m an advocate for delaying to give defenders more time to patch.
“I’m also an advocate of getting the information about the attack to defenders in order to reproduce, respond, and ensure the adversaries are booted out in a timely fashion to reduce damage. Unfortunately, today, we cannot have the best of both worlds. Blue and organizations need to own that they may need to patch in an expedited fashion, especially in a case where an adversary is mass exploiting systems globally. The outrage should not be on a security researcher who published the results to help organizations understand the attack better but on organizations that are not addressing the security exposures in a timely fashion… having large organizations dictate (Microsoft/Github) when an exploit can drop for their own product is censorship and it’s wrong. I have some serious concerns about what Microsoft did here and it only amplified the PoCs awareness of the world versus hindering it.”
Those at risk, meanwhile, are likely to be small and medium sized businesses, state and local government, and schools, notes John Hultquist, VP of Analysis, Mandiant Threat Intelligence.
Information on IoCs and detection can be found below (per NCSC):
- In the Microsoft guidance
- CISA and the FBI in the US have published a TLP WHITE advisory
- Exchange server hash list
- Microsoft Safety Scanner has signatures for all webshells known to Microsoft and will delete any identified