16
Jun, 2021

Microsoft Exchange Server, running entirely on the Windows Server operating systems, is a famous mail server with numerous users around the world. A cyber attack by HAFNIUM, an infamous hacking group put the security of this well-known mail server under question when Microsoft themselves announced back in March 2021 that, HAFNIUM has created some kind of a backdoor and targeting Exchange Servers with 0-day exploits.

Feature Im

Since then, the company has developed and handed out several security patches to safeguard its users from probable threats. Users around the world have been cautious about this incident and following up its development as well as evaluating the condition they are in currently.

As a process, the Bangladesh Government’s e-Government Computer Incident Response Team (BGD e-GOV CIRT) which is also the National CIRT of Bangladesh (N-CERT) has published a Cyber Threat Report aligned with the recent update of Microsoft Exchange Server’s exploitation and the current scenario in Bangladesh. 

About Hafnium

Hafnium is a Cyber-espionage group. They recently came under the spotlight due to their alleged connection and backed by the Chinese government to hack other nation’s sensitive data. The allegations mark them as – “a state-sponsored hacking group operating out of China

Cyber attack by HUFFNIUM

Microsoft’s Announcement

In March 2021, Microsoft announced that they have a data breach for Microsoft Exchange Server and pointed fingers at the hacker group Hafnium. According to the alert, due to the cyber attack by HAFNIUM, multiple cases of 0-day exploits were detected which attacked on-premises versions of Microsoft Exchange Servers. 

These vulnerabilities were used to access on-premises exchange servers, it gave the hackers an opportunity to deploy web shells on the compromised server and gain access to several email accounts. It also allowed them to install additional malware to gain long-term access.

Announcement from National CIRT of Bangladesh

On the basis of Microsoft’s report, Bangladesh Government’s e-Government Computer Incident Response Team (CIRT) went on to find if any such incidents have affected any Bangladeshi IP address. As a result, some IP Addresses associated with different Bangladeshi Organizations were found. Some of these addresses are already compromised and exploited whereas the others are vulnerable to these threats.

They published a full Cyber Threat Report in Bangladesh’s context which showed some alarming facts. The report basically mentions two types of organizations. 

  1. Organizations that are already compromised
  2. Organizations with vulnerable assets which are at risk

The first category is already compromised with Web Shell injection. There are some well-known and reputed organizations in this list that are already compromised and have Web Shells present in their exchange servers. 

On the other hand, a bigger number of IP addresses/ assets from Bangladesh are found vulnerable and at risk of a data breach. They include some concerning names including some government-owned banks, regulatory commissions, organizations working in national security as well as privately owned banks, hospitals, companies etc.

The full report is available for anyone interested.

Suggested Security Measures

Security Measures

Based on the report that Microsoft published, the cyber threat research unit of the Bangladesh government has already suggested a few security measures to strengthen the security. 

The first step is to determine if the server is already compromised. For that, the indicators of compromise (short form – IOCs) associated with the malicious activity prove vital in that step. After determination, comes the tactics, techniques and procedures ( short form TTPs)

Both tactics, TTPs as well as IOCs associated with this malicious activity are shared publicly. To secure against this threat, BGD e-GOV CIRT recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity.

In case of an exploitation activity, the concerned organization should assume network identity already compromised and follow incident response procedures. However, even if no such activity is found, they should apply available patches immediately and implement the mitigation steps. 

To wrap up, this cyber attack by HAFNIUM is creating a real buzz all around the world. Though we are still lucky enough to not have a big scandal regarding this till now. However, as per the report, there are surely some vulnerable areas which should be addressed immediately. Microsoft is releasing update patches regularly against this threat. It falls under the responsibility of the server admin to make sure that his / her windows exchange server is updated with the latest patches. Additionally, it is also important for everyone to ensure the online security of their computers and servers on a personal level. 

The Author

Shahriar Rahman

Shahriar is a cybersecurity enthusiastic, computer geek and keen blogger. Writing in various niches for the last five years. Working towards making the internet a safer place for everyone.
Shahriar Rahman
  Leave a Comment
Search for: