The need for a Zero Trust security model has been highlighted in the recent Hafnium hack of Microsoft Exchange servers. Businesses of all sizes and industries have been impacted, with over 60,000 organizations hacked so far, and immediate action is recommended. Read on for guidance on how to remediate the threat and protect your business. Learn how Wandera’s approach to Zero Trust protected businesses from this threat by preventing unauthorized devices connecting to business assets and isolating applications to enforce least-privilege access.


The Hafnium attack on Exchange Server


Microsoft has identified Hafnium, a state-sponsored group that operates from China, as the threat actor behind a new attack on Exchange Server. Although the full impact has yet to be established, at least sixty thousand organizations worldwide are believed to have been hacked so far.

When successfully exploited, the vulnerabilities allow an attacker to establish an untrusted connection to Exchange Servers, gain persistent system access and ultimately control of the enterprise network. As part of the response effort, Microsoft has released updates for Exchange Server to address the vulnerabilities that are actively being exploited.

The threat is severe enough that Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-02 in response to the discovery of the vulnerabilities. This directive includes recommending that agencies without the capability investigate whether they have been breached to “Immediately disconnect Microsoft Exchange on-premises servers”.

How to remediate the Exchange Server vulnerability

While Hafnium targeted high-value US intelligence targets the tools and techniques have been adopted by other groups and used to indiscriminately attack servers. As this attack is ongoing and the tools are co-opted by new groups it is essential to remediate the threat now.

“They went to town and started doing mass exploitation — indiscriminate attacks compromising exchange servers, literally around the world, with no regard to purpose or size or industry, they were hitting any and every server that they could.” – Steven Adair, President of threat intelligence organization Volexity.

Hafnium Attack on Exchange Server

At a high-level, the attacks are executed in three steps:

  1. Attackers gain access to an Exchange Server using server-side request forgery to establish a connection with the server (CVE-2021-26855).
  2. Malicious payloads, such as webshells, can then be uploaded to the Exchange Server, allowing the attacker to move laterally and attack other applications or systems on the network (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
  3. Once completed, the attacker can use their remote access to steal data from the organization’s network.

Read more for full technical details of the Hafnium attack.

If your organization is running an Exchange Server it is important that you apply the updates immediately and take actions to mitigate any persistent threats. We have included a summary of the guidance below to help you identify what actions you need to take. You can find instructions for deploying the Exchange updates here.

Summary of guidance:

  • Exchange Online – not affected and no action is required.
  • Exchange 2003 and 2007 – not believed to be affected by the March 2021 vulnerabilities. However, these versions are no longer supported and should be upgraded to resolve other vulnerabilities and receive future fixes for security issues.
  • Exchange 2010 – impacted by CVE-2021-26857, which is not the first step in the attack chain. Organizations should apply the update and then follow the guidance below to investigate for potential exploitation and persistence.
  • Exchange 2013, 2016, and 2019 – impacted and updates should be deployed immediately. Once applied, mitigation steps should be followed to remove any persistent threats.

How to prevent future Exchange threats of this kind

The ability to execute the Hafnium attack relied on two weaknesses of traditional security models:

  • Unauthenticated devices can communicate with applications.
  • Network-level connectivity allows lateral movement.

The Zero Trust principle of “trust no one, always verify” means that all unauthenticated users and devices should be treated as malicious. Strong cryptographic techniques such as Single Packet Authorization require authentication to be completed before any communication is initiated. This effectively cloaks applications, protecting them from malicious outside parties. Additionally, Zero-Trust policies allowing only trusted and secure devices to connect to the Exchange and other business applications will prevent vulnerable authentication protocols from being exploited on devices or servers not owned by the organization. 

One of the other core tenets of Zero Trust is least-privilege access; providing users with the fewest permissions possible. By dividing the network up into tightly defined segments, administrators can exert granular control over who can access what. The approach prevents an attacker from gaining access to one system then indiscriminately leapfrogging to others.

To learn more about Zero Trust and how it can help protect your critical applications and systems please get in touch with one of our security experts.