Healthcare's Microsoft Exchange Critical Exposure
Published On March 15, 2021
Blog Post by Michael Flesher at Meditology Services
Meditology discusses impacts and recommendations for healthcare organizations
Over 30,000 organizations, including healthcare entities, have been infiltrated by a Chinese-affiliated espionage group via zero-day vulnerabilities in Microsoft Exchange email servers.  The attack has wide-ranging impacts for healthcare organizations, a majority of which use Microsoft to provide email services.
The Microsoft Exchange breach is the second massive-scale supply chain breach involving a third-party business associate following the SolarWinds breach discovered in December 2020 (see our related article, Massive SolarWinds Breach Exposes Supply Chain Risks). Like SolarWinds, the attack is not necessarily thwarted by installing security patches alone, as infected systems remain accessible via backdoors configured by attackers even after security patches have been applied.
This blog article provides an overview of the Microsoft Exchange breach, its origins, and the latest recommendations for mitigation from Microsoft, the CISA, and Meditology’s technical security and ethical hacking experts.
Summary of the Attack
On March 2, 2021 Microsoft released patches that addressed four security vulnerabilities in Microsoft’s Exchange E-mail Server that were being exploited by a previously unknown hacking group called “Hafnium.” The attacks were first identified by a security research firm called Volexity on January 6, 2021.
The group known as Hafnium appears to be an espionage group allegedly associated with the Chinese government and is currently launching attacks using an exploit targeting the four vulnerabilities.
Microsoft has listed the four exploits in the attack chain in their vulnerability portal:
|A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.|
|An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.|
|Post-authentication arbitrary file-write vulnerabilities in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use these vulnerabilities to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.|
*Explanations taken from Microsoft’s Hafnium attack page
Following the successful compromise of the Exchange Server, Hafnium hackers install and run web shell backdoors on the servers that allow them to remotely log in and steal data, including emails, and run other commands under administrative authority that are intended to increase the footprint of the compromise.
Microsoft is not aware of any automated exploit code that can leverage these vulnerabilities into the attack chain shown by Hafnium, but that does not imply that there are no exploits circulating surreptitiously or will not be developed in the future.
It is believed that over 30,000 organizations have been infiltrated by Hafnium in the last two months, including private industry and public governmental organizations. Now that the attack has been identified, it appears that Hafnium is stepping up its efforts to widely disseminate this exploit and take advantage of compromised systems and organizations.
Impact to Healthcare Organizations
This attack’s immediate effect is to allow the hackers to access organizational emails, which could reveal sensitive corporate information including e-PHI. Meditology’s ethical hacking and penetration testing experience also demonstrates that Microsoft email servers and communications for healthcare organizations commonly include plaintext logins and passwords that could lead to additional compromise of sensitive systems.
A secondary effect of the Hafnium attack is the installation of web shells which allow remote access to the compromised systems and can lead to lateral movement within the organization’s network and an increase in the number of compromised systems. It is common for attackers to exploit vulnerabilities such as the Exchange server vulnerabilities to gain a foothold into healthcare environments and escalate access and gain additional administrative access to networks and applications.
Depending on the organization’s network architecture and information-use policies, sensitive information or systems are at extreme risk of compromise through this attack chain.
If your organization has deployed Exchange servers in any Internet-facing segments, then there is a high probability that those servers have been compromised and are actively being exploited. This blog article includes links below to the Microsoft patches and a list of Indicators of Compromise (IOCs) as well as a tool to determine if the IOCs are present on your systems.
The following are recommended activities for healthcare entities to respond to the Microsoft Exchange attack and the related ongoing risk exposure.
- Immediately patch all Exchange servers. Apply the patches supplied by Microsoft (links below) that address the underlying vulnerabilities that enabled this hack. Prioritize these patches as “critical” and follow any procedures related to the deployment of critical patches
- Conduct a targeted risk assessment to identify potential exposure to the attack including reviewing Microsoft Exchange implementation and network architecture, patch levels, and specific Indicators of Compromise (IOCs)
- Review Microsoft’s published list of Indicators of Compromise (IOCs) to determine if their Exchange servers have fallen victim to this attack chain
- Consider deploying Microsoft’s script that was created recently to run a check for Hafnium IOCs to address performance and memory concerns. That script is available here: https://github.com/microsoft/CSS-Exchange/tree/main/Security
- Consider conducting an external and internal penetration test to identify vulnerabilities and technical configuration exposures that could lead to compromise via Exchange Servers and other critical infrastructure components
- Update risk tracking mechanisms, including risk registers, to document risk analysis and remediation activities in support of maintaining HIPAA and OCR compliance
Meditology specializes in risk assessment and technical testing of healthcare organization and networks. Contact our experts if you have any questions about this attack or to learn more about our related services including:
- Internal & External Penetration Testing
- Wireless Security
- Social Engineering
- Web Application Security
- Cloud Application Security
Additional Resources & References
- Krebs on Security - Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails, 03/02/2021
- Krebs on Security - At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software, 03/05/2021
- Krebs on Security - A Basic Timeline of the Exchange Mass-Hack, 03/08/2021
- Krebs on Security - Warning the World of a Ticking Time Bomb, 03/09/2021
- Microsoft - Hafnium targeting Exchange Servers with 0-day exploits, 03/02/2021
- Volexity - Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities, 03/02/2021
- Microsoft Patches: