HAFNIUM targeting Microsoft Exchange Servers with 0-day exploits
Microsoft issued a press release on the 2nd of March informing about a threat against Microsoft Exchange Servers, a threat attributed to the APT actor known by Microsoft as HAFNIUM. The zero-day threat is exploiting vulnerabilities in Internet-facing Exchange Servers, more technical details may be found in the Microsoft Security Blog.
A one-click mitigation tool for Exchange servers was released on the 15th March 2021, a tool for admins that is designed to mitigate the four actively exploited vulnerabilities.
By running this tool (tested for Exchange 2013, 2016, and 2019) customers can mitigate CVE-2021-286255 on any Exchange server on which it is deployed. This one-click tool does not replace the Exchange Security Updates, but it mitigates the highest risk on the Exchange Servers before patching.
As stated by Microsoft:
“Before running the tool, you should understand:
- The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far but is not guaranteed to mitigate all possible future attack techniques. This tool should only be used as temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
- We recommend this script over the previous ExchangeMitigations.ps1 script as it tuned based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
- This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
- Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.”
Multiple national and international agencies issued clear statements and directives on how to act on this zero-day threat:
Centrul National de Raspuns la Incidente de Securitate Cibernetica – CERT-RO
Federal Bureau of Investigation
CISA – Cybersecurity and Infrastructure Security Agency threat