Subscribe To Our Daily Enewsletter:

Microsoft Exchange Cyberattack: Hafnium Email Hack Timeline and Incident Details

A Microsoft Exchange Server cyberattack and email hack apparently impacted thousands of on-premises email customers, small businesses, enterprises and government organizations worldwide.

The following links summarize steps that MSPs and MSSPs can take to patch Exchange Server for customers. But patching is not enough to kick hackers out of compromised Exchange Server systems.

Follow each of the links, compiled by the CISA, to learn how to determine whether your customers’ Exchange Server systems were compromised:

  1. Microsoft Advisory: Multiple Security Updates Released for Exchange Server
  2. Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
  3. Microsoft GitHub Repository: CSS-Exchange
  4. Original CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
  5. CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

Meanwhile, the timeline below tracks the Microsoft Exchange Server cyberattack, software patches for the email server platform, corrective measures for MSPs and MSSPs that are assisting customers, and the Microsoft’s ongoing investigation into the attack.

Note: Blog originally posted March 2, 2021. Updated regularly thereafter. Check back daily.



Microsoft Exchange Server Cyberattack Timeline

April 13, 2021: Microsoft and the U.S. National Security Agency urged users to patch four newly discovered Exchange Server vulnerabilities. The newly disclosed vulnerabilities are not related to the Hafnium Exchange Server vulnerability disclosures from March 2021. Source: MSSP Alert, April 13, 2021.


April 12, 2021: The CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. They include:


April 7, 2021: Suspected Chinese hackers mined troves of personal information acquired beforehand to carry out the Microsoft Exchange attack, an emerging theory suggests. Such a method, if confirmed, could realize long-held fears about the national security consequences of Beijing’s prior massive data thefts. And it would suggest the hackers had a higher degree of planning and sophistication than previously understood. Source: The Wall Street Journal, April 7, 2021.


March 31, 2021: The CISA released supplemental direction about the Emergency Directive for Microsoft Exchange Server Vulnerabilities. Source: CISA, March 31, 2021.


March 22, 2021: Another ransomware operation known as ‘Black Kingdom’ is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Source: BleepingComputer, March 22, 2021.


Friday, March 19, 2021: An alleged REvil ransomware attack against Acer may have involved the ransomware gang leveraging Exchange Server vulnerabilities within Acer’s network. Source: Bleeping Computer, March 19, 2021.


Thursday, March 18, 2021:

  • Microsoft Defender Antivirus Mitigates Exchange Vulnerabilities: Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on. Source: Microsoft, March 18, 2021.

Tuesday, March 16, 2021:

  • Microsoft’s Latest Guidance: Microsoft offers this guidance to responders who are investigating and remediating on-premises Exchange Server vulnerabilities. The guidance describes how the hack works, how to determine if you’re vulnerable, how to mitigate the threat, whether you’ve been compromised, remediation steps and next-steps for protection. Source: Microsoft, March 16, 2021.
  • The Netherlands: At least 1,200 Dutch servers have likely been affected by the Exchange Server vulnerabilities and resulting attacks. Source: Reuters, March 16, 2021.

Monday, March 15, 2021:

  • Microsoft Exchange On-Premises Mitigation Tool: The Microsoft Exchange On-Premises Mitigation Tool is designed help customers who do not have dedicated security or IT teams to apply these security updates. Source: Microsoft, March 15, 2021.
  • Exchange Attack Surface — Smaller Than Predicted?: There are roughly 2,500 to 18,000 vulnerable public-facing Microsoft Exchange servers worldwide, a majority of which are in Europe, the Middle East, and Africa (EMEA). However, the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators. The attack surface was smaller and more targeted than previously thought. Source: Security Scorecard, March 15, 2021.
  • Attempted Cyberattacks Against Exchange Surges: The number of attempted attacks against the Microsoft Exchange vulnerability has increased tenfold from 700 on March 11 to over 7,200 on March 15. Source: Check Point Research, March 15, 2021.

Saturday, March 13, 2021:

  • Microsoft Hack Probe: Microsoft is investigating whether hackers who attacked its email system exploited the findings of Taiwanese researchers who were the first to alert the software company to the vulnerabilities. DevCore, a small firm based in Taipei City that specializes in discovering computer security flaws, in December 2020 said it found bugs affecting Microsoft’s widely used Exchange business email software. Then in late February 2021, Microsoft notified DEVCORE that it was close to releasing security patches to fix the problem. Source: Bloomberg, March 13, 2021.
  • CISA – Exchange Malware Analysis Reports (MARs): CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system. Source: CISA, March 13, 2021.


Friday, March 12, 2021:

  • Exchange Ransomware Attacks: Kryptos Logic has discovered 6970 exposed webshells that are publicly exposed and were placed by actors exploiting the Exchange vulnerability. These shells are being used to deploy ransomware. Source: Kryptos Logic, March 12, 2021.
  • DearCry is a new ransomware variant that exploits the same vulnerabilities in Micosoft Exchange as Hafnium. It creates encrypted copies of the attacked files and deletes the originals. Source: Sophos, March 12, 2021.

Thursday, March 11, 2021:

  • Ransom-seeking hackers have begun taking advantage of the Microsoft Exchange vulnerability — a serious escalation that could portend widespread digital disruption. The disclosure, made on Twitter by Microsoft security program manager Phillip Misner, is the realization of worries that have been coursing through the security community for days.Source: Reuters, March 11, 2021.

  • Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. Source: Microsoft, March 11, 2021.

  • RocketCyber, owned by Kaseya, has developed a Microsoft Exchange Hafnium Exploit Detection App to help MSPs safeguard end-customer email systems. Source: RocketCyber, March 11, 2021.

Wednesday, March 10, 2021: Multiple updates…

  • As many as 60,000 Exchange Servers in Germany were initially exposed to the vulnerabilities. Roughly 25,000 of those systems still need to be fixed. Source: Reuters, March 10, 2021.
  • ESET Research has discovered that more than 10 different advanced persistent threat (APT) groups are exploiting the recent Microsoft Exchange vulnerabilities to compromise email servers. Moreover, ESET has identified more than 5,000 email servers that have been affected by malicious activity related to the incident. Source: ESET, March 10, 2021.
  • The FBI and CISA issued a joint advisory describing the latest details, findings and mitigation steps for the Microsoft Exchange vulnerability. Source: FBI and CISA, March 10, 2021.


Monday, March 8, 2o21: The CISA issued an alert that “strongly urges all organizations to immediately address Microsoft Exchange vulnerabilities.” A CISA tip sheet outlines five steps for IT security staff to take.


Sunday, March 7, 2021: Multiple Updates…

  • Hackers attacked Exchange email servers at the European Banking Authority. Source: European Banking Authority, March 7, 2021.
  • Microsoft released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities. Source: Microsoft, March 7, 2021.
  • The White House urged computer network operators to take further steps to gauge whether their systems were targeted amid a hack of Microsoft’s email program, saying a recent software patch still left serious vulnerabilities. Source: Reuters, March 7, 2021.
  • The hack has impacted at least 60,000 Microsoft customers worldwide. Source: Bloomberg, March 7, 2021.

Saturday, March 6, 2021: The Exchange Server hack may have infected tens of thousands of businesses, government offices and schools in the U.S. One source suggests the impact could extend across 250,000, organizations. Source: The Wall Street Journal, March 6, 2021.


Friday, March 5, 2021: Patching Exchange Server isn’t enough. Amid that reality, Microsoft strongly recommends customers investigate their Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. Also, Microsoft shares a nmap script to help you discover vulnerable servers within your own infrastructure. Source: Microsoft, March 5, 2021.



Wednesday, March 3, 2021:

  • MSP & MSSP Implications: Cybersecurity service provider Huntress describes the Exchange Server hack and the potential implications for MSPs and MSSPs.
  • CISA Alert Says Patching Isn’t Enough: A CISA (Cybersecurity and Infrastructure Security Agency) alert tells organizations running Exchange Server to examine their systems for the TTPs ( tactics, techniques and procedures and IOCs (indicators of compromise) to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert. Source: CISA, March 3, 2021.

Tuesday, March 2, 2021: Multiple updates…

  • The Attacker: Microsoft alleges that a state-sponsored threat actor called Hafnium, which operates from China, launched the attacks against Exchange Server.
  • Microsoft Discloses Exchange Server Hacks, Patches: Microsoft released multiple Exchange Server software patches to address e-mail server vulnerabilities that hackers are exploiting in the wild.

January 2021: The attacks were first detected but not publicly disclosed in January 2021, according to these updates…

  • Volexity: Security monitoring service provider Volexity discovers anomalous activity from two of its customers’ Microsoft Exchange servers. Source: Veloxity, March 2, 2021.
  • Mandiant from FireEye: Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Source: FireEye’s Mandiant, March 4, 2021.

December 2020:

  • DevCore, a small firm based in Taipei City that specializes in discovering computer security flaws, in December 2020 said it found bugs affecting Microsoft’s widely used Exchange business email software. Then in late February 2021, Microsoft notified DevCore that it was close to releasing security patches to fix the problem. Source: Bloomberg, March 13, 2021.

Check this blog regularly for ongoing timeline updates.

Return Home

7 Comments

Comments

    Jason Hill:

    In the timeline, I don’t see any reference to the TrendMicro analysis that was published on January 29. This article most certainly appears to be the earliest post I’ve found related to these attacks.

    https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html

      Joe Panettieri:

      Hey Jason: Thanks for the link and background. We appreciate the extra data point.
      -jp

    Mark:

    Here are some statistics related to the topic:
    – The number of all Exchange servers installed worldwide (+map).
    – Exchange servers breakdown by Internet Service Providers.
    – Top ports with Microsoft Exchange.
    – Versions of MS Exchange installed.
    – Domains with Exchange aggregated by Alexa rank.

    Link: https://spyse.com/blog/cybersecurity-research/microsoft-exchange-server-proxylogon

      Joe Panettieri:

      Mark: Thanks for the link and associated data points.
      -jp

    Frank Marker:

    Our Exchange 2016 service provider lost ALL their servers while either applying the CU20 roll-up and/or allowing Microsoft Defender to apply mitigation via an update on 2021-03-18 thru 2021-03-19. They needed to completely rebuild their Exchange servers and then reload the information stores.

    I’ve not seen this issue reported anywhere. So has anyone actually experienced this? – or is our SP economical with the truth behind what happened?

      Joe Panettieri:

      Frank: Sorry to hear about the challenges your business is facing. I am not aware of this being reported elsewhere. Can you share any more details/updates?
      -jp

    Frank Marker:

    The SP stated that CU20 was applied and tested OK (on one Exchange server). This was on 2021-03-17. They then claimed that one or two things happened on the night of 2021-03-18:

    1- an automated update was performed over which [they] had no control or
    2- Microsoft Defender performed an automated task

    This apparently rendered 40 Exchange servers “completely inoperable”. They then had to rebuild each Exchange Server and rebuild the information stores from backups. Total data around 500Tb and this took over a week before all mailboxes were live again.

    Just not believing this event history.

Leave a Reply

Your email address will not be published. Required fields are marked *