Earlier this year, there was an attack on the mail server service “Microsoft Exchange”. According to information from Microsoft, the Chinese state-affiliated group Hafnium was behind the attack. Shortly before a planned security update relating to attacks on the company’s email systems, they intensified their activities to such an extent that the German Federal Office for Information Security had to declare a “Code Red”. The vulnerabilities were so-called zero-day gaps for which no updates were available.
The attack infiltrated numerous mostly American companies. Targets included research on infectious diseases as well as universities, law firms and companies with defence contracts. But tens of thousands of Exchange servers were also affected in Germany, including some in German federal authorities such as the European Banking Authority (EBA), according to the BSI.
The hack exploited so-called zero-day vulnerabilities, meaning security holes that had not been published before and for which no updates were available at that time.
In each incident, the hackers left behind a so-called “web shell”, meaning a password-protected hacking tool that can be accessed via the internet from any web browser with administrator rights. The hackers can use it to issue commands corresponding to a system administrator.
Which Exchange servers were attacked?
The 2013, 2016 and 2019 versions that are accessible via the web (port 443) were affected. Microsoft’s self-tests, so-called Indicators of Compromise (IoCs), can be used to check whether your own servers are affected.
What to do when you recognise an infection?
Unfortunately, it is not enough to apply so-called patches, delete the web shells and restart the system. Rather, all activities on the server should be meticulously checked to prevent the attack from spreading, for example if the hackers log on to other systems within the IT infrastructure and cause damage there as well. This is because attackers can secure access not only to the Exchange servers themselves, but also on other systems away from the actual web shells, e.g. in the form of back doors. If it was possible to penetrate the Active Directory, a complete reinstallation of the entire Windows environment may be necessary.
Reportable data protection incidents
At a minimum, access data (user names and passwords) were stolen. These may be reportable as a data protection incident.
What to do?
Usually, the first step is to disconnect the servers from the internet. Then the affected systems are analysed. After a complete check of all systems, the system can then be “leased”. Microsoft has provided an extraordinary patch for this in the wake of the Hafnium hack.
Afterwards, the systems must be cleaned up and the attacker must be locked out. Operations can usually be restarted at this point.
Without a deep analysis of the affected systems, however, putting them back into operation carries the risk that the attacker will continue to have access to the systems and data in question.