Hafnium Hack Explained

March 23, 2021
Cristian Sánchez

In this post, we begin by describing what the Hafnium hack is, then we explain how it could affect small businesses and the tools that are available to protect your business if you are affected by the hack.

What is the Hafnium hack?

Hafnium’s hack is a cyber-attack on Microsoft’s Exchange servers. It is said to have affected over 30,000 organizations including small businesses, government organizations, nonprofits, and others. Hafnium is thought to be a Chinese government backed hacking group, and they were given their name by Microsoft. Furthermore, Microsoft’s assessment led them to believe that the group is sponsored by the Chinese government.

How can the Hafnium hack affect your business?

In short, from what we have found out about the Hafnium hack, affected systems can be entirely owned by the attackers. In the CVEs (Common Vulnerabilities and Exposures) released for these hacks, Microsoft specifies that they each have different characteristics. It seems that through chaining the vulnerabilities, the attacker can gain administrative access to the system even without having any security credentials before starting the attack.

According to Microsoft: “These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file." This means that without knowing anything more than the IP address of your server, the hacker can break in and do whatever they want. They would have access to all the information in the server, and they could plant other malware in the server in case the original malware is removed. So this hack is truly a shockingly devastating attack.

You may be wondering, how would an attacker know the IP of your server? Unfortunately, an attacker does not need to know anything about your company to know the IP if you are vulnerable to the attack. Hackers can use publicly available tools like shodan.io to scan the internet for servers that have known vulnerabilities and then exploit them.

What can you do to defend against the Hafnium hack?

Microsoft has released patches for the four vulnerabilities exploited by Hafnium on March 2nd, 2021. It is vital for any server running Microsoft Exchange versions 2013 to 2019 to install these patches as soon as possible. Microsoft even recommends taking servers that do not have the patches installed offline as a precaution. However, installing these patches only stops Exchange Servers from being broken into. Servers that have already been exploited by this vulnerability will remain compromised. The reason for this is that the attackers leverage these vulnerabilities to install a web shell into the affected system. This web shell can install further malware on the affected server. For this reason, Microsoft has released tools to check servers for intrusion, including a script that checks for indicators of compromise, as well as resources for defending against web shell attacks.

We hope you found this article informative. If you have a question, feel free to leave a comment down below. If you are interested in reading more articles about technology, security and web development, access our blog. At CSV Code, we design websites taking security into account first. If you wish to learn more about our services, contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *