What to do if you were breached by Hafnium (Exchange breach)?

I meant to write this earlier, but I just didn’t have enough time, because of the research and many things I’m doing to remediate this mess inside my network. Microsoft breach has quickly became one of the ugliest events in recent IT history, on par with Solarwinds. Adversaries used unknown flaw in Microsoft Exchange for more than two months to exploit 10s of thousands of organizations around the world. Microsoft patched exploit on 02.March 2021 but not everyone became aware of the seriousness of the situation immediately, so many environments are still unprotected. After exploit became publicly known many new actors entered the game, and now many new threats are looming, ransomware being one of them. What should we do?

I already wrote in many details and offered various resources on this event here – https://www.informaticar.net/microsoft-exchange-march-2021-breach-hafnium/ so, please check that link out if you haven’t audited your system yet. It is about time you do it.

Here are my thoughts on this, please take them only as material to think and discuss, I cannot be held responsible for any damage you do…

First step – patch, establish if you were breached, and if you were, establish depth of breach.

  • Install patches that mitigate Hafnium attack
  • Check your logs with provided Microsoft scripts and sweep through internal logs
  • If you find anything in logs (or if you don’t)proceed to establish indicators of compromise (IOCs)
  • Establish if there are .aspx, .js, webshells on your system, if they are remediate them
  • Establish if there are scheduled tasks or processes that are active in memory of your server, and if data is already exfiltrating
  • Establish if there is lateral movement through your network – AD is critical, there is possibility that you domain admin accounts are compromised and your internal network is breached.
  • Watch your DNS and network traffic closely. Since adversary maybe sweeped your system this is important step.
  • Try to recover deleted files if you have suspicions that your systems were breached and cleaned after attack (consult before you do this, maybe you need forensics!! )

Even if your Exchange is physically in different environment, check if there is domain trust between your production domain and Exchange domain – you may have been breached if the account has too high privileges – be aware of this, I have seen this.

Be careful in tampering with your systems if you are obliged by law or internal acts to do forensics – make sure you don’t destroy evidence. Watch but don’t touch. After forensics are done you may proceed with cleanup.

What to do if you establish you were breached?

It all depends, even if you patched on time (right away on 02. March 2021) it does not mean that you are of the hook – remember, this attack was active for whole two months before it was patched!!

  • if you establish that there were “knocks on the door” and there is something in the logs but you have no evidence of webshell scripts and other IOCs – watch your system closely, monitor logs, network and scan it every day.
  • if you established that there were webshell scripts and changes in your Microsoft Exchange server – there are tools that can helps you remove webshells and check hashes on your exchange files to see if they were tampered with. I would advise that you reinstall Exchange server – databases are not compromised (yet) system is, so if you can – that would be the cleanest step. Also, reset all user/admin passwords on your domain.
  • If you established that webshells were dropped and there is lateral movement inside network – your AD is tampered with you are in tough situation. This is I think toughest call, especially since new reports confirm ransomware deployment – https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/ I can tell you what I would do – I would undergo system resets on all of servers and domain machines. I would also be using clean installations, not imaging or backup, since you cannot be sure these are clean. It is only way we see right at this point. Consult with your management and make your calls, this is tremendous job to do, and not an easy call.

I hope this short post gave you material to think and some new ideas, I would also appreciate feedback if you have new insights or good suggestions on this situation.

Disclaimer