Please be advised that new updates, deemed urgent, were released for MS Exchange Server (2013 – 2019 versions) on April 13th, to address security vulnerabilities reported to Microsoft by the NSA. These vulnerabilities are being tracked as (CVE-2021-28480, 28481, 28482, and 28483).
As you may recall, Microsoft did an out of band update in early March to address these vulnerabilities which enabled ProxyLogon attacks. These attacks involved accessing a Windows server, without having to authenticate, and installing a webshell that could be later weaponized via remote code execution.
The original goal of the hacking group Hafnium appears to have been industrial espionage, but once the attack code was made public, follow-on attacks ensued, including ransomware attacks. On April 13th, the Department of Justice provided notice of a warrant authorizing the FBI to exploit webshells on visible unpatched servers so the servers could not be used for unauthorized access to U.S. networks.
What You Can Do:
- In addition to making sure that impacted servers have been patched, verify that the updates have been applied.
- Check for IOCs (indicators. of compromise) on impacted servers, but do not use filenames reported by others as these vary from attack to attack. For more information see the following Sophos article: HAFNIUM: Advice about the new nation state attack.
- Confirm that your server backups are working and that one backup is saved offline.