HAFNIUM’s Microsoft Exchange Attack- Four Urgent Security Steps to Take Right Now 

Katie John

“It’s massive. Absolutely massive.” That is how a former national security official is describing the recent attack on Microsoft Exchange Server by a state sponsored threat group from China called HAFNIUM. Four zero-day vulnerabilities in Exchange Server are being actively exploited in widespread attacks by this group, and now other cyberattackers are joining in as well.  The attack was announced by Microsoft on March 2nd, 2021 as they rushed urgent patches out to the public. The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019.  

Exchange Online is not affected! 

Microsoft announcement: New nation-state cyberattacks – Microsoft On the Issues 

Microsoft guidance: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security 

New MSRC guidance: Investigating and remediating on-premises Exchange Server vulnerabilities 

Companies and organizations that use Microsoft’s Exchange program in a self hosted on-premises environment should assume that they were hacked sometime between Feb. 26 and March 3. 

If you are still hosting on-premises Exchange, stop reading right here, take the following emergency steps, and then come back to finish this blog later… 

  1. Patch if you haven’t already. If you do not have the dedicated IT to apply the patch you could use the one-click Mitigation Tool  released by Micrsoft.
  2. Assume you have been hacked and start looking for activity 
  3. If your team does not have the capability to hunt for activity, contact your Connection Account Manager today. They can connect you with our Microsoft professional services team who have the skill and resources to help you do so. If you do not have an Account Manager, contact us here and we can assist you. 
  4. Back up your server data immediately

At least 30,000 organizations have been hacked in this latest attack… Police departments, hospitals, state and local governments, banks, infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, NGOs, and more. No industry or sector was spared unless they were operating in the cloud.  

If you have been infiltrated by HAFNIUM, I am so sorry. It was not your company’s fault. The blame lies squarely on the enemy who did this. If you need help, Connection’s Services Teams can help you hunt and patch. But don’t stop there and allow it to happen again. For better protection, I cannot stress how important it is to move to the cloud. I will explain it further in my follow up blog. In the meantime, please reach out your Connection account team for further assistance. If you are not a customer yet, call us at 1800. 800. 0014, or send us a message, we will reach out to you.  

Katie is a Senior Product Manager and helps to manage and execute the overall marketing and enablement strategy for Microsoft Solutions at Connection. Throughout her career, which has included various roles in IT sales, Enterprise account management, Microsoft solutions support, and now Product Management, she has been purposefully driven by a love for helping people solve problems—bringing clarity to IT complexity and leading with empathy. In her free time, Katie enjoys reading, taking day trips and weekend getaways with her husband and teenage daughters, and volunteering with non-profit organizations that provide outreach to at-risk children and the foster care community.