Update [03/08/2021]: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
NetAccess recommends that it is mission critical that Exchange Servers be patched. Patching also has been reported to protect against new threats but not against a previously compromised server. Administrators should be investigating all unpatched exchange servers for unauthorized access. Should you need assistance patching your Exchange servers, please let us know if you would like to work with NetAccess, we’d be glad to help. You can also call our main line at 905-524-2001 to speak to someone in sales if you don’t have a managed support engagement with NetAccess.