Patch too late if it’s already compromised


On March 2, 2021, Microsoft accused a Chinese group APT, called Hafnium, of having compromised 30,000 Exchange servers. They announced four security vulnerabilities, called 0-day, which refers to the fact that attackers had a reliable way to exploit the vulnerability for which there was no patch. In case your organization doesn’t go into full panic mode, GO TRIGGE THE FIRE ALARM! IT IS SERIOUS!

Tom Burt, vice president of security and customer trust at Microsoft, published a blog post about Hafnium: New cyberattacks at the nation-state level. Microsoft describes Hafnium as “primarily targeting entities in the United States with the aim of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions , defense contractors, policy think tanks and NGOs.” According to my favorite APT cross-reference table, maintained by Florian Roth (Twitter: @Cyb3rOps) Hafnium is also called by Symantec under the name Ant. (They chose this name because one of the common webshells used for post-exploitation was regularly hit by a web browser using the “antSword/v2.1” user agent. AntSword (中国蚁剑) and ChinaChopper (中国菜刀) are popular webshells used by Chinese attackers for many years.

FireEye says there is no reason to believe the activity is limited to a single threat actor and refers to the attack groups like UNC2639, UNC2640, UNC2643.

FireEye associates UNC2639 with activity from IP addresses and, both active at the time of Microsoft’s announcement (March 2 and 3).

FireEye associates UNC2640 with activity involving “web shell” files named “help.aspx” (MD5 4b3039cf227c611c45d2242d1228a121) and “iisstart.aspx” (MD5 0fd9bffa49c76ee12e51e3b8ae0609ac)

FireEye associates UNC2643 with the deployment of a Cobalt Strike Beacon (MD5 79eb217578bed4c250803bd573b10151) and the IP addresses and

FireEye claims to have started observing this activity in January, which matches Microsoft’s reports that they were informed of this activity by security firm Volexity in January. However, the DEVCORE research team deserves credit for attempting to exploit marketing of the bug by calling the attack “Proxy connection” and create a sexy web page and logo for the attack, a la HeartBleed. Luckily, it didn’t really catch on, but their timeline is still very interesting. They found the first bug on December 10, 2020 and the second on December 30, 2020 and reported both to Microsoft on 05JAN2021 (as tweeted by their Taiwanese researcher, Tsaï Orange.)

Symantec specifies that the actor they call Ant (and Microsoft calls Hafnium) is definitely no longer the only attacker using these vulnerabilities. Diagram of the Symantec attack Is usefull:

Symantec Attack Flowchart

Brian Krebs interviewed several researchers about the attack, including Steven Adair, who says his company, Volexity, has noticed the bug since January 6, 2021. See Krebs on security: “At least 30,000 US organizations newly hacked via flaws in Microsoft email software. »

As Krebs and others have since pointed out, while 30,000 U.S.-based organizations were known to be victims of Hafnium/Ant, now that the vulnerability is known, attacks have reached astronomical numbers. Why is it a problem? Companies most likely to operate their own unpatched email servers are also least likely to be informed enough to apply the patches.

Both Forbes And CABLE Now let’s say that hundreds of thousands of servers were compromised and the number of compromises at any given time was increasing by “thousands per hour”.

What to do? PATCH! (But it may be too late…)

Obviously, the most important thing to do is to apply Microsoft’s patches. However, it is VERY IMPORTANT TO UNDERSTAND that you may already be compromised. Patching DOES NOT make you “unhacked!” Patch, but also follow CISA’s advice to determine if you’re already hacked.

The vulnerabilities are listed here, each linked to the Microsoft security alert associated with the CVE.

Unfortunately, smaller organizations tend not to patch, and malicious organizations within larger organizations often manage their own Exchange servers rather than follow centralization guidelines. In a presentation I gave for the Merchant Risk Council in September 2020, we talked about CISA issuing a critical alert related to Office 365, calling it a “Top 10 Commonly Exploited Vulnerability” as well as its own alert, CISA Alert AA20-120A. In this presentation, we also mentioned how Rapid7’s Tom Sellers warned about unpatched Exchange servers. The vendors were actually talking about the “critical” Exchange server bug CVE-202-0688.
In Rapid7’s look at data, “Phishing for SYSTEM on Microsoft Exchange (CVE 2020-0688)” originally published on April 6, 2020, explained that a March 24, 2020 Internet scan found that 357,629 vulnerable servers, 82.5% of those accessible from the public Internet, had not been patched for a vulnerability CRITICAL with a patch available since February 11, 2020. EIGHT MONTHS LATER, Rapid7 repeated the test, and still found that 61% of these servers were still online and still vulnerable! In addition, 31,000 servers had no not been patched since 2012, and 800 servers had NEVER been patched!

What do you think are the chances that they suddenly became aware of the patches on MARCH 02, 2021?

It is highly likely, in this author’s opinion, that MOST of the Exchange servers accessible on the Internet have been compromised. How to test to see if you are one of them? Continue reading…


The CyberSecurity & Infrastructure Security Agency, CISA, part of the Department of Homeland Security, has provided comprehensive information on how to detect the attack, including an interesting guide on how to use FTK Imager to capture the memory of your Exchange server and where to look. proof of being compromised.

Please carefully review their recommendations found as Alert AA21-062A.

Many of their indicators come from Volexity, which also shares a video explaining the attack in its 02MAR2021 blog post, “Operation Exchange Marauder. “It should be noted that none of FireEye’s IP addresses are in this list.

In addition to the CISA guidance, Microsoft has released a script that can be run on your Exchange server to look for signs of compromise. Their scenario is described in their Hafnium targeting Exchange servers blog post, but a direct link to the script is:

This script scans HttpProxy logs, Exchange logs, and Windows application event logs for signs of exploitation. Let’s hope the bad guys haven’t deleted the logs!

Leave a comment