Hafnium/ProxyLogon Resource Center

Hafnium is a threat actor^[1] that initiated an attack targeting on-premises Microsoft Exchange Server software^[2].

What You Can Do

• Determine your level of exposure:
  • Indicators of Compromise
  • Which organizations are vulnerable
  • Which organizations were compromised
• Report to senior executives and the Board
• Follow the Microsoft mitigation instructions

Exposure

If cybersecurity were a house and a window is left open while the owner is on vacation, the house is compromised and is vulnerable to burglary. The vulnerability is exploited when a burglar climbs through the window and steals the TV. In some cases, we can detect only vulnerable organizations or only compromised ones, but with ProxyLogon we have information on both.

Indicators of Compromise

1. Versions 2010 and prior are not vulnerable.
2. Companies are at risk of compromise (vulnerable) if they’ve upgraded to the vulnerable versions 2013, 2016, or 2019 of Exchange Server.
3. Companies remain at risk of being compromised until they’ve patched against the vulnerabilities, which closes the vulnerabilities but does NOT remove web shells.

   Since companies could have been compromised before the patch was applied, they might still be compromised, even after they’ve patched against the vulnerabilities.

4. Confirmed compromise is indicated by the presence of web shells, which allows the attacker to gain access to the compromised Exchange Server. The detection method includes checking for the presence of a limited number of web shell file names.
5. Since the web shell can have any file name and can be placed anywhere within the web content root directory tree, a system might potentially be compromised, even if one of the known web shells is not detected. The company will remain compromised until they perform forensic analysis of their Exchange Server(s), determine the scope of the impact, and take appropriate measures to clean up the compromise and any additional theft or destruction caused by the attacker.

Vulnerable Organizations

There are three risk vectors that can identify vulnerable systems:

• TLS/SSL Configurations
• Open Ports
• Patching Cadence

Organizations with systems that have the vulnerability can be identified in the following ways:

• Across your portfolio: Use the “ProxyLogon” Vulnerability filter.
• For a specific company: Findings ➔ Vulnerability Filter ➔ CVE-2021-26855 (ProxyLogon). Uncheck the Impacts RV Grade filter to see historical records where the organization was exposed but has since patched the vulnerability.

TLS/SSL Configurations and Open Ports display ‘Potential’ vulnerabilities because they are derived from a data partner’s observations. We take a conservative stance and label the partner’s findings as ‘Potential.’

Findings in Patching Cadence use a proprietary Bitsight scanner and will show up as ‘confirmed’ vulnerabilities. Patching cadence findings will indicate when a vulnerable system has been updated to remediate the vulnerability.

Even if the system is not vulnerable, we still test for malicious web shells. We’ve found that some organizations are patching against the vulnerabilities without identifying that they’ve been compromised.

Compromised Organizations

Compromised organizations are indicated by a Backdoor/Exchange.ProxyLogon infection in the Botnet Infections risk vector. They can be identified in the following ways:

• Across your portfolio: Use the “Backdoor/Exchange.ProxyLogon” Infection filter.
• For a specific company: Findings ➔ Infection Family ➔ Backdoor/Exchange.ProxyLogon

If the web shell is removed, the event will remain but the Last Seen date will reflect the last time the event was observed. Note that while we scan for the compromise daily, the results are only added to the Bitsight platform every three (3) days. Because the risk vector grade and overall rating for organizations will continue to be negatively impacted for compromises that last for multiple days (as is the case with typical Botnet Infections), the 3-day granularity helps to ensure organizations are assessed fairly by giving them time to perform forensics and expunge web shells.

Note that the initial observations were added on March 11 and 12, 2021. The subsequent updates will be reflected in the Bitsight platform on March 23. Thereafter, updates will appear every three (3) days.

Backdoor/ProxyLogon events impact the rating and will decay linearly over 180 days like any other Compromised System event.

Report to Senior Executives and the Board

This incident is of significant concern to corporate officers and directors who are responsible for overseeing risks to the enterprise. Security and risk professionals should immediately report potential exposure to senior executives and the board as soon as possible. Using clear, concise language is critical for security professionals to most effectively communicate risk.

Recommended reports:

• Portfolio Impact Report – Identify how risk is distributed across your portfolio.
• Portfolio Collaboration Report – Provides an overview of collaboration engagement across your portfolio, highlights touch-points, and allows you to track your progress with third party collaboration (including changes in risk).

Resources

• Bitsight Academy:
  • Responding to the Hafnium Attack
  • Locate Hafnium Vulnerabilities
  • Initiate Collaboration
• Bitsight Blog:
  • Bitsight Observations Into the HAFNIUM Attacks: Part One
  • Bitsight Observations Into HAFNIUM Attacks, Part Two: Unpatched Exchange Servers Remain Vulnerable
  • Bitsight Observations Into HAFNIUM Attacks, Part Three: Exploitation and Vulnerability Persists
  • Bitsight Observations Into Hafnium Part Four: Who Is Still Vulnerable?
• Knowledge Base:
  • Frequently Asked Questions