Hackers, the FBI, and Microsoft Exchange Servers
Note: This is unrelated to Microsoft’s announcement of security patches for other similar vulnerabilities on April 13, 2021.
THERE ARE NO MORE RULES
Today we are going to talk about what happens when you do not address security problems in your private Information Systems (IS): the systems that you as an individual, or as an organization, manage and run to maintain your business.
Historically, the government has needed your permission to access your systems. Whether that was to spy on you or to ‘help’ you. That has now changed.
The Federal Bureau of Investigation (FBI) executed a court-authorized program to remove malicious code from vulnerable Microsoft Exchange Server (MES) servers in the United States in response to the reported widespread exploitation of critical vulnerabilities by malicious cyber actors. The MES servers that were ‘fixed’ were on-premises versions of MES, a software used to provide e-mail service.
The FBI program was designed to fix the systems but did not include other mitigating actions, such as patching MES vulnerabilities or identifying and removing any malware or hacking tools that may have been hidden on these networks. The program’s goal was intended to prevent future attacks on US organizations.
WHO TRIED TO ATTACK US?
The first Advanced Persistent Threat (APT) group to utilize these vulnerabilities was referred to as HAFNIUM, and many times the attacks themselves are mislabeled as ‘HAFNIUM attacks’.
HAFNIUM has been identified as targeting organizations in the United States across industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and Non-Governmental Organizations (NGOs).
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers (such as email or FTP servers).
HOW DID THEY DO THIS?
The technical details of these attacks are beyond the scope of this discussion. For more information, visit the Microsoft page, HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
WHY DID THIS HAPPEN?
Reports of groups exploiting zero-day vulnerabilities in MES software were first discovered in January of 2021. These vulnerabilities were actively being used to access and read emails from the server of any email accounts. There also was evidence that during exploitation, more code was added to the system to allow further access at a later date. Because each code had a unique name and was located in a unique file directory, there was not a ‘find-this-file-and-delete-it’ type of solution.
N.B. Microsoft indicated that this vulnerability only affected on-premises systems and not Exchange Online.
Compromising these systems allowed the perpetrators the ability to read any information in the mailboxes of users, steal user logins and passwords, add new accounts, steal network authentication database, and move to other systems in that network. As an additional problem, they installed ‘back doors’ for future access.
This sounds alarming, but of course, security researchers identified this in January. So, what’s the problem? The problem is that Microsoft did not address the multiple vulnerabilities and issue a patch to fix this publicly until March. By that time, thousands of servers had been compromised, millions of emails had been read, and thousands of ‘back doors’ had been established that would require a lot of time and research to identify and address.
It is expected that some of the information that was gathered was private, confidential, and federally defined Controlled Unclassified Information (CUI). Although government contractors and sub-contractors all attest to their information systems being secure, some clearly were not and many run their own on-premise MES.
Frankly, this is a worst-case scenario. A criminal could get access to not only any emails, but potentially could access almost anything by requesting a password reset and confirming the reset via email. On a scale of 1-0, this was a hard 10.
BUT I HAVE CUI!
If you’re using Microsoft Exchange for your mail, make sure that you or your provider are either using the latest patches on your version of Exchange and/or bring in some professional help to look for compromises.
Of course, you could always rely on communicating CUI through a trusted partner. One that can not only ensure your CUI is secure, but a company that also sends email through its own servers, and those emails link to the document, requiring additional security. A closed environment for CUI, such as that provided by RegDOX, would have mitigated the problems in maintaining the confidentiality of CUI that was caused by this breach.
WHAT HAS BEEN THE RESPONSE BEFORE THIS?
To their credit, on March 15, 2021, Microsoft did release a ‘one-click mitigation tool’ which fixes the problem from occurring if the system has not been infected yet. You can access this tool here (https://aka.ms/eomt).
This Microsoft tool was designed as “…an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update”. The tool is not intended as a replacement for regular security updates but is “the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching”.
Throughout March, Microsoft and other vendors issued detection tools, patches, and other information to assist in identifying and mitigating the issue. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released an Advisory, “Compromise of Microsoft Exchange Server” on 10 March 2021. Additionally, Microsoft recommended downloading and using the Microsoft Safety Scanner (Microsoft Safety Scanner Download – Windows security | Microsoft Docs) and keeping it running.
Despite these efforts, by the end of March, there was still an inordinate number of unpatched systems with malicious code and ongoing vulnerabilities. There were systems that had been patched but still may have had the back doors still accessible. CUI was likely still being improperly accessed. Thus, the FBI stepped in.
SO, WE’RE ALL GOOD NOW?
Hardly. If the removal operation was conducted on your system, you will receive additional details from an authorized FBI email account. The FBI continues to conduct a thorough and methodical investigation into this issue.
We can estimate it will be less than one week before the phishing emails go out, purporting to come from the FBI, with instructions to login to the ‘FBI Cyber Portal’ and verify your authenticity. Don’t. Let’s say that again. DO NOT.
Where one Advanced Persistent Threat (APT) group is successful, others will quickly follow. Microsoft originally followed HAFNIUM when they started launching targeted attacks against US organizations. Recently other adversary groups have started targeting the same vulnerabilities, and these attacks will continue to increase as attackers learn more about these vulnerabilities.
Not all these attacks were fully conducted earlier. It is expected that in the future we will see more exploitation.
WHAT SHOULD WE DO?
As previously discussed, downloading and installing patches is of critical importance. This can be easily done using Microsoft’s Windows Update, as well as the MES product updates. The links provided in this article will allow you to download the Microsoft Scanner tool and the one-click mitigation tool, allowing you to begin to assess the damage. Also, you might want to
consider taking your CUI and other confidential information out of the Microsoft Exchange world and using a self-contained system to protect it.
**Keep in mind, that as you coordinate a response to the issue, your mail has been compromised. It would not be difficult for an adversary to intercept emails and issue different instructions or sabotage the process entirely. Do NOT use your email to communicate your intentions!
Is this a significant threat to the US? Absolutely. Is the government ‘right’ in breaking into networks and accessing Information Systems of anyone they want without permission? Regardless of having ‘court authorized’ permission, we think that there is some debate and history will determine the answer.
Regardless, organizations should always strive to patch systems as soon as possible, scan systems on a regular basis, and invest in security technologies, training, and people.
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.