DHS-CISA is offering insight to our community on how to manage this unprecedented vulnerability 

They’ve dubbed it, “Operation Exchange Marauder,” and this one might cut even deeper than the SolarWinds supply chain compromise that was uncovered in December — leaving some tens of thousands of on-premises Microsoft Exchange accounts open for breaches. 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-02, and the Data Connectors Community received clear instructions on how to handle this vulnerability from the agency’s Cybersecurity Advisor Klint Walker. 

“I would love to tell you that I had a great presentation lined up for you today that had big-name actors with explosions and action scenes with car chases, and lots of comedy mixed in, but instead, we have actual danger to discuss. Not flashy or cinematic by any means, but real and persistent,” Walker said. 

For those not in the loop, on March 2, CISA, NSA, Microsoft and Volexity announced four newly discovered vulnerabilities in the Microsoft Exchange on-premises product which opened some 30,000+ organizations to a possible attack. Through these vulnerabilities, an attacker could get persistent access and control of an enterprise network. 

Microsoft quickly released patches to address and rectify these issues, but not before some organizations were breached.

“Within 24 hours though, we (CISA) started noticing that there were already exploitations of those vulnerabilities,” Walker said. “Look at how fast that gap closed; the vulnerabilities were announced and immediately people were exploiting them, or maybe they were even exploiting them before the vulnerabilities were announced. Every moment that you are not patched and you are not taking mitigation efforts is putting you at risk.”

WHO IS RESPONSIBLE

According to the Microsoft Threat Intelligence Center, they’ve attributed this breach to a state-sponsored group out of China called HAFNIUM.

They’ve made this assessment with high confidence, particularly based on the primary targets — namely, infectious disease researchers (particularly, according to Walker, in relation to COVID-19 research), law firms, higher education institutions, defense contractors, think tanks and non-governmental organizations. These targets tend to work particularly close to the federal government in terms of providing research, and as a result, were seen as opportunities for these hackers. 

“This isn’t (HAFNIUM’s) first rodeo; there’s been activity seen from HAFNIUM in the past. Usually, they compromise victims by exploiting vulnerabilities, especially anything that’s internet-facing,” Walker said. “Once they’ve gained access to your network, they’re going to exfiltrate as much data as they possibly can.”

SUCCESSFUL MITIGATION

In this can’t-ignore session, Walker outlined the steps required for successfully ensuring that your network is safe and preserved following these major vulnerabilities. 

Walker discussed the immediate actions that need to take place within your organization, as well as steps to complete a more in-depth forensic analysis on this particular issue. Take a look at his recommendations, as well as review his suggestions for which tools would best serve you. 

Watch the entire presentation for Walker’s CISA-approved, complete action plan for managing these vulnerabilities. Complete the form below to access the video.

How to Survive the Microsoft Exchange Hack: …

Hot Topics in Cybersecurity Posted by Jen Greco on Mar 12, 2021