On March 2nd, a newly discovered security flaw was revealed in Microsoft Exchange Email software that could impact over 30,000 victim organizations worldwide. As of this writing, it has been reported that the vulnerability impacts Exchange Server versions 2013 through 2019.

According to security researchers1, the vulnerability is being exploited by a Chinese state-sponsored hacking group known as Hafnium. This hacking campaign is actively seeking to intercept email communications from internet-facing systems running on Exchange. Target victims cut across a wide range of industries, including but not limited to banks, credit unions, infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, non-profits, telecommunications providers, public utilities, municipalities and emergency services units

The U.S. government considers this an active threat. The Biden administration has created a task force known as the Unified Coordination Group ("UCG"), that includes FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency and others to respond. 2

What to do now

Microsoft is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) to provide guidance for organizations that may be impacted.

On March 6th Microsoft issued an emergency security update to provide mitigation guidance in remediating four known security issues.

CISA has issued guidance which provides the following best practices:

  • If evidence of compromise is found, assume that your organization’s network identity has been compromised and begin incident response procedures.
  • Patch Microsoft Exchange with the vendor released patches; If unable to patch immediately or remove the Microsoft Exchange from the network immediately, CISA strongly recommends following alternative mitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations. This should not be taken as an adequate solution for patching.
  • Patching an already compromised system will not be sufficient to mitigate this situation; therefore, CISA strongly encourages partners to immediately disconnect any Microsoft Exchange systems suspected of being compromised.
  • Admin/IT staff: Provide feedback to your leadership on the actions you have taken and any challenges completing the steps below:
    • Patch all instances of Microsoft Exchange that you are hosting.  
    • If you can’t patch then follow the recommendations Microsoft issued -- Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 – Microsoft Security Response Center. 
    • Check for indicators of compromise by running the following script.
    • If you have been compromised, follow this guidance to better understand what to do next.
  • Please contact CISA for any questions or to report an incident regarding this vulnerability at Central@cisa.gov

Cyber insurance implications

In the event your organization becomes a victim of the Hafnium hacking campaign it is important that you leverage the resources that come with any applicable insurance policies.
Many cyber insurance policies provide access to a variety of cyber experts, including breach coaches, IT forensics investigators, extortion negotiators, credit monitoring firms, public relations experts, data asset restoration experts and others. Be mindful of insurance policy claim reporting requirements that mandate formal notice of incidents and/or claims. The terms and conditions of each policy vary significantly and many insurance carriers require insureds to utilize only pre-approved insurance panel experts. 

Sources

  1. At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software — Krebs on Security
  2. Biden administration expected to form task force to deal with Microsoft hack linked to China - CNNPolitics