Microsoft Exchange Cyberattack: U.S. Blames China for Hafnium Email Hack

by Joe Panettieri • Jul 19, 2021

The United States and several other allies have blamed hackers related to China’s authorities for the Microsoft Exchange Server cyberattack and email hack. The hack, first reported in Q1 of 2021, impacted hundreds of on-premises electronic mail clients, small companies, enterprises and authorities organizations worldwide.

The following hyperlinks summarize steps that MSPs and MSSPs can take to patch Exchange Server for clients. But patching will not be sufficient to kick hackers out of compromised Exchange Server methods.

Follow every of the hyperlinks, compiled by the CISA, to discover ways to decide whether or not your clients’ Exchange Server methods have been compromised:

Microsoft Advisory: Multiple Security Updates Released for Exchange Server
Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
Microsoft GitHub Repository: CSS-Exchange
Original CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

Meanwhile, the timeline beneath tracks the Microsoft Exchange Server cyberattack, software program patches for the e-mail server platform, corrective measures for MSPs and MSSPs which are helping clients, and the Microsoft’s ongoing investigation into the assault.

Note: Blog initially posted March 2, 2021. Updated frequently thereafter. Check again every day.

Microsoft Exchange Server Cyberattack Timeline

July 19, 2021: Multiple updates…

Multiple Countries Blame China for Exchange Server Hack: The U.S, European Union, United Kingdom, Australia, Canada, New Zealand, Japan and NATO will all criticize China’s Ministry of State Security (MSS) for utilizing “legal contract hackers” to conduct cyber-enabled extortion, “crypto-jacking” and different schemes. The announcement may contain the Microsoft Exchange Server hack. Source: The Hill, July 19, 2021.
Biden Administration Statement: The White House has released a statement attributing current Microsoft Exchange server exploitation exercise to the People’s Republic of China (PRC). Source: CISA, July 19, 2021.
Cyber Advisory: The CISA, NSA and FBI have launched Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber menace habits and tendencies and offers mitigations to assist shield the Federal Government; state, native, tribal, and territorial governments; crucial infrastructure, protection industrial base, and personal trade organizations. Source: CISA, July 19, 2021.
Threat Overview: CISA, NSA and FBI have launched CISA Insights: Chinese Cyber Threat Overview for Leaders to assist leaders perceive this menace and learn how to scale back their group’s danger of falling sufferer to cyber espionage and information theft. Source: CISA, July 19, 2021.
Department of Justice Investigation: The DOJ has charged 4 Chinese nationals working with the Ministry of State Security with a worldwide laptop intrusion marketing campaign focusing on mental property and confidential enterprise data, together with infectious illness analysis. Source: U.S. Department of Justice, July 19, 2021.

April 22, 2021: A botnet known as Prometei is exploiting Microsoft Exchange vulnerabilities. Source: Cybereason, April 22, 2021.

April 13, 2021: Microsoft and the U.S. National Security Agency urged customers to patch four newly discovered Exchange Server vulnerabilities. The newly disclosed vulnerabilities aren’t associated to the Hafnium Exchange Server vulnerability disclosures from March 2021. Source: MSSP Alert, April 13, 2021.

April 12, 2021: The CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. They embrace:

April 7, 2021: Suspected Chinese hackers mined troves of private data acquired beforehand to hold out the Microsoft Exchange assault, an rising idea suggests. Such a way, if confirmed, may understand long-held fears in regards to the nationwide safety penalties of Beijing’s prior huge information thefts. And it might counsel the hackers had the next diploma of planning and class than beforehand understood. Source: The Wall Street Journal, April 7, 2021.

March 31, 2021: The CISA launched supplemental path in regards to the Emergency Directive for Microsoft Exchange Server Vulnerabilities. Source: CISA, March 31, 2021.

March 22, 2021: Another ransomware operation often known as ‘Black Kingdom’ is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Source: BleepingComputer, March 22, 2021.

Friday, March 19, 2021: An alleged REvil ransomware assault towards Acer could have concerned the ransomware gang leveraging Exchange Server vulnerabilities inside Acer’s community. Source: Bleeping Computer, March 19, 2021.

Thursday, March 18, 2021:

Microsoft Defender Antivirus Mitigates Exchange Vulnerabilities: Microsoft Defender Antivirus and System Center Endpoint Protection will mechanically mitigate CVE-2021-26855 on any susceptible Exchange Server on which it’s deployed. Customers don’t have to take motion past making certain they’ve put in the most recent safety intelligence replace (construct 1.333.747.0 or newer), if they don’t have already got automated updates turned on. Source: Microsoft, March 18, 2021.

Tuesday, March 16, 2021:

Microsoft’s Latest Guidance: Microsoft offers this guidance to responders who’re investigating and remediating on-premises Exchange Server vulnerabilities. The steerage describes how the hack works, learn how to decide if you happen to’re susceptible, learn how to mitigate the menace, whether or not you’ve been compromised, remediation steps and next-steps for safety. Source: Microsoft, March 16, 2021.
The Netherlands: At least 1,200 Dutch servers have probably been affected by the Exchange Server vulnerabilities and ensuing assaults. Source: Reuters, March 16, 2021.

Monday, March 15, 2021:

Microsoft Exchange On-Premises Mitigation Tool: The Microsoft Exchange On-Premises Mitigation Tool is designed assist clients who wouldn’t have devoted safety or IT groups to use these safety updates. Source: Microsoft, March 15, 2021.
Exchange Attack Surface — Smaller Than Predicted?: There are roughly 2,500 to 18,000 susceptible public-facing Microsoft Exchange servers worldwide, a majority of that are in Europe, the Middle East, and Africa (EMEA). However, the overwhelming majority of the victims have been situated within the United States and Germany, demonstrating a powerful diploma of intentionality by the perpetrators. The assault floor was smaller and extra focused than beforehand thought. Source: Security Scorecard, March 15, 2021.
Attempted Cyberattacks Against Exchange Surges: The variety of tried assaults towards the Microsoft Exchange vulnerability has elevated tenfold from 700 on March 11 to over 7,200 on March 15. Source: Check Point Research, March 15, 2021.

Saturday, March 13, 2021:

Microsoft Hack Probe: Microsoft is investigating whether or not hackers who attacked its electronic mail system exploited the findings of Taiwanese researchers who have been the primary to alert the software program firm to the vulnerabilities. DevCore, a small agency based mostly in Taipei City that focuses on discovering laptop safety flaws, in December 2020 mentioned it discovered bugs affecting Microsoft’s extensively used Exchange enterprise electronic mail software program. Then in late February 2021, Microsoft notified DEVCORE that it was near releasing safety patches to repair the issue. Source: Bloomberg, March 13, 2021.
CISA – Exchange Malware Analysis Reports (MARs): CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell related to exploitation of the vulnerabilities in Microsoft Exchange Server merchandise. After profitable exploiting a Microsoft Exchange Server vulnerability for preliminary accesses, a malicious cyber actors can add a webshell to allow distant administration of the affected system. Source: CISA, March 13, 2021.

Friday, March 12, 2021:

Exchange Ransomware Attacks: Kryptos Logic has found 6970 uncovered webshells which are publicly uncovered and have been positioned by actors exploiting the Exchange vulnerability. These shells are getting used to deploy ransomware. Source: Kryptos Logic, March 12, 2021.
DearCry is a brand new ransomware variant that exploits the identical vulnerabilities in Micosoft Exchange as Hafnium. It creates encrypted copies of the attacked recordsdata and deletes the originals. Source: Sophos, March 12, 2021.

Thursday, March 11, 2021:

Ransom-seeking hackers have begun making the most of the Microsoft Exchange vulnerability — a severe escalation that would portend widespread digital disruption. The disclosure, made on Twitter by Microsoft safety program supervisor Phillip Misner, is the conclusion of worries which have been coursing by the safety group for days.Source: Reuters, March 11, 2021.
Microsoft noticed a brand new household of human operated ransomware assault clients – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware assaults are using the Microsoft Exchange vulnerabilities to take advantage of clients. Source: Microsoft, March 11, 2021.
RocketCyber, owned by Kaseya, has developed a Microsoft Exchange Hafnium Exploit Detection App to assist MSPs safeguard end-customer electronic mail methods. Source: RocketCyber, March 11, 2021.

Wednesday, March 10, 2021: Multiple updates…

As many as 60,000 Exchange Servers in Germany have been initially uncovered to the vulnerabilities. Roughly 25,000 of these methods nonetheless must be mounted. Source: Reuters, March 10, 2021.
ESET Research has found that greater than 10 totally different superior persistent menace (APT) teams are exploiting the current Microsoft Exchange vulnerabilities to compromise electronic mail servers. Moreover, ESET has recognized greater than 5,000 electronic mail servers which have been affected by malicious exercise associated to the incident. Source: ESET, March 10, 2021.
The FBI and CISA issued a joint advisory describing the most recent particulars, findings and mitigation steps for the Microsoft Exchange vulnerability. Source: FBI and CISA, March 10, 2021.

Monday, March 8, 2o21: The CISA issued an alert that “strongly urges all organizations to right away deal with Microsoft Exchange vulnerabilities.” A CISA tip sheet outlines five steps for IT security staff to take.

Sunday, March 7, 2021: Multiple Updates…

Hackers attacked Exchange email servers at the European Banking Authority. Source: European Banking Authority, March 7, 2021.
Microsoft launched an updated script that scans Exchange log recordsdata for indicators of compromise (IOCs) related to the vulnerabilities. Source: Microsoft, March 7, 2021.
The White House urged laptop community operators to take additional steps to gauge whether or not their methods have been focused amid a hack of Microsoft’s electronic mail program, saying a current software program patch nonetheless left severe vulnerabilities. Source: Reuters, March 7, 2021.
The hack has impacted not less than 60,000 Microsoft clients worldwide. Source: Bloomberg, March 7, 2021.

Saturday, March 6, 2021: The Exchange Server hack could have contaminated tens of hundreds of companies, authorities workplaces and faculties within the U.S. One supply suggests the impression may prolong throughout 250,000, organizations. Source: The Wall Street Journal, March 6, 2021.

Friday, March 5, 2021: Patching Exchange Server isn’t sufficient. Amid that actuality, Microsoft strongly recommends clients examine their Exchange deployments utilizing the searching suggestions here to make sure that they haven’t been compromised. Also, Microsoft shares a nmap script that can assist you uncover susceptible servers inside your personal infrastructure. Source: Microsoft, March 5, 2021.

Wednesday, March 3, 2021:

MSP & MSSP Implications: Cybersecurity service supplier Huntress describes the Exchange Server hack and the potential implications for MSPs and MSSPs.
CISA Alert Says Patching Isn’t Enough: A CISA (Cybersecurity and Infrastructure Security Agency) alert tells organizations working Exchange Server to look at their methods for the TTPs ( techniques, methods and procedures and IOCs (indicators of compromise) to detect any malicious exercise. If a corporation discovers exploitation exercise, they need to assume community id compromise and comply with incident response procedures. If a corporation finds no exercise, they need to apply out there patches instantly and implement the mitigations on this Alert. Source: CISA, March 3, 2021.

Tuesday, March 2, 2021: Multiple updates…

The Attacker: Microsoft alleges {that a} state-sponsored menace actor known as Hafnium, which operates from China, launched the assaults towards Exchange Server.
Microsoft Discloses Exchange Server Hacks, Patches: Microsoft launched a number of Exchange Server software patches to handle e-mail server vulnerabilities that hackers are exploiting within the wild.

January 2021: The assaults have been first detected however not publicly disclosed in January 2021, in line with these updates…

Volexity: Security monitoring service supplier Volexity discovers anomalous activity from two of its clients’ Microsoft Exchange servers. Source: Veloxity, March 2, 2021.
Mandiant from FireEye: Mandiant Managed Defense noticed a number of cases of abuse of Microsoft Exchange Server inside not less than one shopper setting. The noticed exercise included creation of internet shells for persistent entry, distant code execution, and reconnaissance for endpoint safety options. Source: FireEye’s Mandiant, March 4, 2021.

December 2020:

DevCore, a small agency based mostly in Taipei City that focuses on discovering laptop safety flaws, in December 2020 mentioned it discovered bugs affecting Microsoft’s extensively used Exchange enterprise electronic mail software program. Then in late February 2021, Microsoft notified DevCore that it was near releasing safety patches to repair the issue. Source: Bloomberg, March 13, 2021.

Check this weblog frequently for ongoing timeline updates.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Microsoft Exchange Server Cyberattack Timeline

Related Posts

But Their Emails: Republicans React to Their Own Email Scandal

Dedicated SMTP Server For Bulk Mailing | By Time4Servers | by Time4Servers Technologies | Apr, 2024

Three ways to boost your email security and brand reputation with AWS

Former FBI Deputy Director Andrew McCabe finds ‘nauseating similarities’ between Biden special counsel report and Hillary Clinton email case

How to avoid malware on Linux systems

St. Louis police, special prosecutor seize email server from Circuit Attorney Kim Gardner’s office