Some of us like taking risks.
We need that adrenaline.
In business, though, risk is something to be evaluated carefully. If excitement is what you are seeking, rather go for Texas gambling and treat yourself with a pause of pure entertainment. 🙂
When you are done, come back to the office, and let’s talk server security. In case you are using Microsoft Exchange, and you have opted for running your own server “on-premises”, you are in danger!
Have you ever heard about Hafnium?
No, not the chemical element with the symbol Hf and atomic number 72.
We are talking about a Chinese hackers’ group, “assessed to be state-sponsored” as Microsoft states on his website.
Who are Hafnium Hackers?
Microsoft asks the same question but cannot really answer: “Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Whoever they are, they are up to no good.
Breaches against Microsoft Exchange
A first round of breaches against Microsoft Exchange was noticed when Hafnium dropped web shells onto servers at a noticeable rate on February 27th and 28th. Later, TrustedSec discovered that very few of the available targets were actually hacked.
Hafnium installed the web shells on a small number of the servers that it visited and scanned for vulnerabilities in those two days.
The second round followed on March 2nd and 3rd when the attackers physically return to the addresses that they had found vulnerable to drop a web shell so they could go back in person later.
This might explain while the patches released by Microsoft did not solve the problem. Microsoft patched four Exchange Server vulnerabilities that the hackers had used.
Vendors frantically rushed to patch systems, but breaches were not stopped.
Impact on servers security
Hundreds of servers were affected. Some researchers suggested that the total could be much more dramatic, in the range of a hundred thousand.
The problem is that criminal groups can reverse engineer patches and again beat Microsoft at its own game.
They can easily see what fixes Microsoft has applied, reverse engineer their own exploits, and open the door to an escalation of attacks. Ransomware, for example, could hit anyone who’s still exposed.
Unluckily, this seems to be just the case.
Groups of hackers have been spotted by analysts, all of them busy taking advantage of the attack’s opportunities. Organizations that are slow in defending their systems will soon find out that there is a specific moment when criminal ones replace espionage activities.
Microsoft action against hackers
In the week since Microsoft first released its patches, the dynamic already appears to be playing out.
Analysts have seen multiple groups, most still unidentified, getting in on the action in recent days, with more hackers likely to come. The longer organizations take to patch, the more potential trouble they’ll find themselves in.
On the other hand, patches are a double-edged sword. Both researchers and malicious hackers can use them to study a vulnerability in the system and figure out how to exploit it to their ends.
If the mysterious Hafnium seems to be an espionage group, they have now opened the path for cryptocurrency miners and ransomware thugs to wreak their own havoc by running cryptominers on exposed Exchange servers.