Earlier this year Microsoft released a number of patches affecting on-premise instillations of Exchange servers, which was actively being exploited by Hafnium. Hafnium is a newly identified group that is believed to be responsible for not only this attack, but also other attacks on internet facing servers.
Even though the use of the vulnerability was described as limited it is believed that we will see a quick rise in numbers of attacks. Watch as Ken and Michael share their expertise into this hack, as well as others.
Video Transcription
Michael Jenkins 0:04 Hello, it's Michael here from down under in Australia, joined by Ken, how are you again?
Ken Dwight 0:08 Oh, great, Michael, good to see you again. What my Australian background? Yeah, you've got the Australian background, I've got the office background, I could be anywhere, I could be spoofing you and pretending to come from another place in Australia, who would ever do that?
Michael Jenkins 0:23 hackers would, that's hackers. And of course, we are continuing on our series talking about various hacks and things like that. Ken, being a specialist in the anti-malware virus, ransomware type aspect. And I'm at the coalface facing all kinds of other unusual and weird things. A big thing for MSPs, and it guys of late has been hafnium. And forgive my Australian accent, if you say it differently. I think we all know what we're talking about. But look, a lot of people who are already in office 365 weren't really affected by this. I suspect that this exploit which targets exchange did probably attack office 365. But Microsoft had already worked out what to do about it, cleaned it up, and then retrofitted that back to the rest of the world. So if you're in office 365, the pain was almost zero. For all the rest of us who are running Exchange servers, especially small businesses, we were very vulnerable to this particular issue. Now half the items are actually a hack. hafnium is the name of their hacking group. And this exploit that they used is now being used by lots of other hacking groups. And this particular hack, the whole idea is to get on your server for ransom. That's right. Everything leads back to ransoms and money and all that sort of pain. But what's it all about? Microsoft found a bit of an issue in their Microsoft Exchange product, their platform, since server 2010, as an Exchange Server 2010. And every version right up until current, the patches were not so bad. Some of them were complete reinstall of exchange and some of them are just a little extra you ran in and fix it up. Now, basically, the problem here is that this exploit got out into the wild really quickly. And the group hafnium got hold of this. And basically, there was some concept code out there that allowed them to come in through what we use as webmail, Outlook Web Access, the feature that allows us to get out email or out of the office, allow them to put a file onto the server. And before you know it, the hackers got access to command line. Now, it doesn't matter how they get access, doesn't matter what tool they use, eventually, it all leads to the same thing. They're gonna hack you, they're gonna run ransomware, change account, passwords, steal data, make a data breach, all kinds of things. And in this case, that's very much what happens. Most of us MSP it type guys, we like to sort of preach about patching and patching and patching. But what do you do when Microsoft didn't have a patch, Microsoft didn't know about it. So Microsoft, even though they don't support back too far as exchange 2010 released an out of band patch, because this is serious enough and enough servers out there to want to patch them. And that's what they've done. They've sent out a patch, and all of us it guys have gone around and we've installed it. Now patching, patching for things other than Microsoft is very important as well. You've got Ivy, obviously, Adobe PDF readers, you've got Google Chrome, maybe, whatever it's got, you've got to make sure your patch everything. Why would you do that? makes things faster, adds features and stops the hackers. So patching is one of those things I cannot sort of not talk enough about, it's something I need to evangelize to you guys. Because yes, you might have access to Windows updates. And yes, it might be a pain that Windows 10 keeps updating features. But we need to do it because otherwise we end up having these discussions over and over and over again. So we've all gone out and patch the servers. What happened to the server, or servers that were listed in that 60,000 in the US and 30,000 across the rest of the world and got hacked. What actually happened? Well, from what I experienced so far, what I've seen is they got another server the command line, they went straight in and created a backdoor administrator account, they tampered with the Kerberos account, they made all kinds of changes to finally get their software up onto the system. Then they can spend, I don't know a week maybe downloading as much of the content as possible of your server, which is a data breach and then deploy their ransomware. And the best way I found to stop it from deploying this ransomware and really attacking your network is not only having a good firewall and patching your exchange but having good antivirus that supports side to side firewalls between workstations and servers andThings like that. Of course, what happens here is up to the hacker hackers, a very unique, their fingerprints can be traced back and you can work out which hacking group did what? Because they all use different tools, different methods to do things. So nobody can actually tell you what they've done. Because all these hackers do things differently. Yes, you can find the administrator account has been changed, you can find the Kerberos account had a password updated from the ransomware that's been deployed. But they all do it in different ways. So how do you work out what they've actually changed on your server? Or do you have to rebuild your server? Here's the question, because, unfortunately, with all the PowerShell scripts and things like that, all the things have been changing on servers is different for everybody that's been hacked. There's no rulebook, there's no way of saying, I've definitely got happening off the server, and it's not going to be hacked again. And I'm sure that you've all heard of backdoor exploits where they get on a server and leave a little backdoor for themselves. And if we come along as administrators, and we find as a hacker on there, cut them out, they'd have their back, they might have created a little dodgy account somewhere, or change the permission somewhere, or set up an FTP server or done something. And I'm sure you've got lots of experience with these backdoor situations where hackers get themselves back in.
Ken Dwight 6:18 Yeah, that's almost a given anytime there's an exploit like that. I have not worked with the hafnium exploit. Personally, I don't have clients that are in that environment. But one thing I am curious about, I know that Microsoft came out with some sort of remediation kit or a package of steps like beyond just patching, you want to go into that in any more detail, or if you use that. Yeah, so look, if you're really handy with PowerShell script, there's a number of scripts up there, available through GitHub enough Microsoft's website, which we'll go through and look for little known things that get tweaked and played with the most obvious for me was actually locating actual ASP X Files and things like that, in the IIS web server, which when you open up and look inside, clearly elevate a person to administrator and run the command line remotely for remote users. But the PowerShell does go through and it looks and checks your environment, it checks for changes, it checks dates on things, it does a lot of that sort of work for you. We've found it creates a lot of false positives. So really running those kits. I think, given the age of the servers, we're talking exchange, 2010. And newer, lots of patches over time have been applied. Lots of various PowerShell scripts by administrators have been run for different reasons. And there's lots of little registry keys and things that are not quite correct and have broken over time. And that triggers a lot of false positives in the PowerShell scripts.
Michael Jenkins 7:45 It was a really best effort GitHub sort of approach where someone had developed the script got it out real quick. And it did a lot of good things. It also generated a heck of a lot of logs to look through. And at the end of the day, you've been done by hafnium. If they've been on your server, it didn't necessarily highlight everything that changed on the server. If you were running the script, because you hadn't seen any symptoms, and you didn't think you were hacked, but you wanted to make sure you were safe. And you had all the patches in place and everything was done correctly, the scripts are fantastic. But unfortunately, good old sleuthing is what's needed. The normal thing that you would normally expect looking for accounts that shouldn't be there looking for things in event logs, looking for any processes that are running that shouldn't be. So on the particular servers that I've seen. Looking through the processes, I use Process Explorer, or Process Monitor, going through and just checking that everything that's running is really a Microsoft product, or something you've installed, doing all the usual sorts of things. And then these guys, basically, once they've got your data, you've got to make sure you check your insurance. Because wherever you might be located US, Australia, wherever you've got different roles. But letting your data out there is a big notifiable data breach.It can cause massive financial stress. So make sure you've got your insurance in place. And personally, if you've got these older Exchange servers, it's time to migrate to something new. Anyway, Microsoft at this time have released patches for these older servers. But if this happens, again, I'm not so sure that they're going to be so interested with the most recent changes to the way outlook on mobile devices, iOS and Android works. It won't talk to some of these older servers now anyway, do the TLS version that's supported by exchange. So Microsoft have kind of accidentally moving you forward anyway. Obviously, in this case, exchange 2019 was also a target of this particular issue. But I can tell you now, marks have released patches for that through Windows Updates quite regularly, whereas the older products, notSo much interested in that. So patching, again, might be a better idea to think about migrating office 365, or server 2019 for exchange, or whatever the new beast is that Microsoft to create. So that's where we've gone with hafnium. My experience with it so far is I've split a found probably close to 100 servers or so that were probed. So they were definitely in line to be hacked. We found one server in particular, that was in a group of companies that you would expect would be hacked, they are very high target to do with civil infrastructure.
And from what we found, they had gotten to the point of transferring data, we did the usual thing of contact the internet provider, have a look at how much data transfer it occurred during the period of time it did spike, we can see data has happened. And from there, we did actually, obviously, look at their insurance policies and things like that. And then from there, we looked for any executables running and they hadn't quite got to that point yet. Now, what am I gonna do with this current office 365, I can't guarantee this server is going to be patchable, I can't guarantee a federal the backdoors. The PowerShell script did send off a lot of alerts, we cleaned up a lot of things, we've got them working again. But there's no guarantees once this sort of thing has happened. So again, whenever you're cleaning up for ransomware, things like that, it's not always the best policy to completely rebuild the machine. Sometimes it's attached to very large organizations, you can imagine if a service got 70 odd users on it, it's going to take down 70 of people, it's going to rebuild, it's going to waste all of their time. So sometimes fixing these things is the right thing to do. And sometimes when you've got advice, like get off that platform or move to Office 365, that's also the right thing to do. And I know generally with malware, ransomware, all that kind of thing. Trying to mitigate and prevent it from happeningis the way to go. And obviously repair can be done. But in this situation where there are so many unknown backdoors, again, rebuild or move on. Any comment on that Ken?
Ken Dwight 12:17 No, there again, I'm not really seeing that environment with my clients. And so all those experiences firsthand for you. And here say for me, soI'm glad it's in capable hands down under.
Michael Jenkins 12:30 Yes. So look.Now this is sort of Carnival blown over. At the moment, I think most servers out there are now patched or people have moved on. There are a number of servers where people are still doing investigations and forensics and tracing and tracking. But let's hope that next month. So let's get through this month of clean up. Let's have the next month that we're in a much safer world, things have moved on, and that Ken and I have got something much brighter to talk about. Give you some information on your upcoming things, maybe something not so dark and devious from the old days. Exchange 2010. It was a great product. But yeah, it's getting old. Well, of course, it's good news that we didn't have anything new to talk about this this month, except for that that particular breach. But other than that, it's same old thing, patch update, obsolete stuff.
Ken Dwight 13:21 Think before you click all the same things we've been saying for 10 15 20 years now.
Alright, well, thanks for all that fresh information.
It's fun. It's seven o'clock in the evening here. So eight hours before my bedtime.
Michael Jenkins 14:35 Oh, maybe Yeah, I see. us guys. We never sleep. Trying to keep you guys safe out there. All right, everybody. Well, thank you for joining us again. And until next time.
Ken Dwight 14:45 See ya.
Michael Jenkins 13:28 like the new products coming out the ransom, and there's this new logos that come up on those ransom screens or lock you in, there's new groups behind them. But they're all using the same ideas, they're gonna get your data, they're gonna encrypt your data, and try and make some money from your data. And if you don't pay them that money, then hey, they put their data up on the web, and they're gonna hold you to ransom other ways. It might very well cripple your business or your clients business. So as Ken said, same old thing, patch, keep aware of things. If you feel something is a bit of a scam, don't proceed with it, whatever it might be, same old information, a new angle on it, maybe someone found an exploit in an Exchange Server, but at the same time, it ended up in the same little bucket of ransomware and the same process to mitigate and work forward.
Look, thanks for joining me, Ken. And a lot of think it's you're heading off to bed there, isn't it unto me is waking up here in Australia.