Bitsight Observations Into HAFNIUM Attacks, Part Two

BitSight Observations Into HAFNIUM Attacks, Part Two
Luis Grangeia
Written by Luis Grangeia
Manager, Product Research
Written by Paulo Pacheco
Principal Data Scientist and Security Researcher

Microsoft Exchange is a critical business software used by organizations around the world for email. Sensitive data and communications are stored and transacted on the platform daily. In an unusual situation, threat actors have performed mass exploitation on zero-day vulnerabilities associated with Microsoft Exchange.

This attack is unusual because it’s one of the rare situations where bad actors had performed mass exploitation on near-zero day threat vectors, particularly those that allowed for RCEs. Many organizations were -- and are -- still vulnerable to exploitation.

Bitsight’s latest global analysis shows that despite repeated warnings from Microsoft and government agencies, many organizations still have not patched vulnerable Microsoft Exchange Servers and remain at risk of threat vector exploitation: 

  • Nearly 1 in 3 companies who use Microsoft Exchange are currently running vulnerable versions.
  • Nearly 1 in 3 exposed Microsoft Exchange servers are currently vulnerable to threat vectors.
  • More than 5% of global government entities are currently running vulnerable versions of Exchange.
  • More than 340 U.S. government entities at the state, local, and Federal level -- including multiple U.S. Federal agencies -- are currently running vulnerable versions of Microsoft Exchange.
  • More than 5% of global utilities are currently running vulnerable versions of Exchange.
  • More than 3% of global aerospace/defense companies are currently running vulnerable versions of Exchange.

Despite recent warnings to patch threat vectors in their systems, Bitsight observes a very high rate of confirmed vulnerable versions of Exchange currently running across the globe.

Bitsight is tracking the total number of companies running confirmed vulnerable versions of Microsoft Exchange. Organizations rely on Exchange as a mail and calendar service that stores company emails in a centralized server, giving successful hackers access to contact information and sensitive business communication if a server is infiltrated. On March 10, we assess that nearly 1 in 3 companies with Exchange are currently running vulnerable versions. These organizations should initiate a threat vector incident response process under the assumption that their server was compromised.

Bitsight is tracking the prevalence of organizations running vulnerable versions of Microsoft Exchange Server by sector. We find that more than 5% of global government entities are currently running vulnerable versions of Exchange.

Bitsight is also tracking sector-specific performance, comparing the prevalence of vulnerable versions of Microsoft Exchange Server with patched or non-vulnerable versions in key sectors.

Of particular concern is the prevalence of vulnerable versions of Microsoft Exchange within the U.S. government. Bitsight finds more than 340 U.S. government entities at the state, local, and Federal level -- including multiple U.S. Federal agencies -- are currently running versions of Microsoft Exchange with threat vector vulnerabilities.

Organizations are seeking to determine if they or their vendors may be utilizing vulnerable versions of Microsoft Exchange Server in order to understand their cybersecurity threat vector exposure. Bitsight is currently showing data of potentially vulnerable exchange servers in the vulnerability catalog. Customers can search for any of the Exchange CVEs in the attack chain, by searching for any of the CVEs:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

Bitsight will continue to update this research with additional telemetry. Please reach out to Bitsight if you have specific questions about the impact of this incident to your vendor threat vector ecosystem.

What Should Organizations Do?

Based on analysis and public reporting, Bitsight estimates that the majority of vulnerable Exchange servers on the Internet were likely compromised, making it imperative for organizations with public Exchange servers to instigate an incident response process under the assumption that theirs was compromised. 

Identifying the current Exchange Server version can be difficult because Microsoft does not always update the version string on the patch -- making it look like organizations are still running a “vulnerable” version when they have actually updated their systems. With this in mind it’s best to err on the side of caution and install any available updates immediately.

Organizations running any version of Microsoft Exchange Server should immediately install any available patches to Exchange Server software.

It’s also important to note that the presence of this vulnerability within your third-party vendor ecosystem can be a dangerous threat vector as well. Bad actors in the Exchange breach can not only access your conversations with an infiltrated third party, but can penetrate your network through your vendor’s access. Continuously monitoring your supply chain can help identify threat vectors and facilitate remediation before they can become a danger to your organization. 

Continuous Monitoring eBook

Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.