“It’s massive. Absolutely massive.” That is how a former national security official is describing the recent attack on Microsoft Exchange Server by a state sponsored threat group from China called HAFNIUM. Four zero-day vulnerabilities in Exchange Server are being actively exploited in widespread attacks by this group, and now other cyberattackers are joining in as well. The attack was announced by Microsoft on March 2nd, 2021 as they rushed urgent patches out to the public. The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019.
Exchange Online is not affected!
Microsoft announcement: New nation-state cyberattacks – Microsoft On the Issues
Microsoft guidance: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
New MSRC guidance: Investigating and remediating on-premises Exchange Server vulnerabilities
Companies and organizations that use Microsoft’s Exchange program in a self hosted on-premises environment should assume that they were hacked sometime between Feb. 26 and March 3.
If you are still hosting on-premises Exchange, stop reading right here, take the following emergency steps, and then come back to finish this blog later…
- Patch if you haven’t already. If you do not have the dedicated IT to apply the patch you could use the one-click Mitigation Tool released by Micrsoft.
- Assume you have been hacked and start looking for activity
- If your team does not have the capability to hunt for activity, contact your Connection Account Manager today. They can connect you with our Microsoft professional services team who have the skill and resources to help you do so. If you do not have an Account Manager, contact us here and we can assist you.
- Back up your server data immediately
At least 30,000 organizations have been hacked in this latest attack… Police departments, hospitals, state and local governments, banks, infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, NGOs, and more. No industry or sector was spared unless they were operating in the cloud.
If you have been infiltrated by HAFNIUM, I am so sorry. It was not your company’s fault. The blame lies squarely on the enemy who did this. If you need help, Connection’s Services Teams can help you hunt and patch. But don’t stop there and allow it to happen again. For better protection, I cannot stress how important it is to move to the cloud. I will explain it further in my follow up blog. In the meantime, please reach out your Connection account team for further assistance. If you are not a customer yet, call us at 1800. 800. 0014, or send us a message, we will reach out to you.