What the Hafnium Attacks Tell Us About Today’s Ransomware Threat
Phil Muncaster
At the start of March, Microsoft took the unusual step of releasing four “out-of-band” patches to its customers. The reason was simple: it had detected a nation state adversary exploiting the related vulnerabilities in attacks on Exchange email servers. However, this was just the beginning. In just a few days, multiple threat groups had joined in with their own attacks and tens of thousands of endpoints in the US alone were thought to have been compromised. Increasingly, it is ransomware that is being deployed on these exposed endpoints as attackers try to maximize their monetization efforts.
If any were needed, it’s another clear reminder that ransomware remains one of the most potent threats facing organizations today, and one that even nation states may be leveraging. Mitigating this risk should be a priority for any security team, not just those running Exchange Server.
Hafnium: Ground Zero
The earliest attacks exploiting the four Exchange Server bugs patched by Microsoft were traced back to “Hafnium.” This Chinese state-sponsored group has previously been observed targeting various US organizations in sectors including infectious disease research, legal, higher education, defense, and NGOs. It’s unclear what they were after this time, but cyber-espionage for geopolitical gain is usually the name-of-the-game for such groups.
The beauty of targeting Exchange Server is that the endpoints contain sensitive data themselves, but can also be used as a jumping-off point to move laterally across the victim’s network in search of higher value information. The Hafnium attackers were observed stealing passwords from the servers, which allowed them to do this covertly.
It took just a week for as many as 10 APT groups to launch their own attacks.
It wasn’t long before other groups caught wind that there could be some serious gains to be made from so many exposed Exchange servers around the world. It took just a week from the day Microsoft patched the vulnerabilities for as many as 10 APT groups to launch their own attacks. By installing a simple web shell on the compromised machines, the attackers had their very own backdoor to remotely perform a range of post-exploitation activity like deploying ransomware.
One report claimed that as many as 30,000 US organizations were hacked in this way, with many more around the world falling victim.
The Ransomware Connection
From the very start there were concerns over ransomware. Microsoft warned of the DearCry variant being used in attacks, then a few days later Sophos explained that the group behind Black KingDom was also targeting the exposed Exchange Server. Because the vulnerabilities affected only the on-premises version of Exchange, some experts argued that it could cause more widespread damage. That’s because those running this version often have fewer resources to spend on security or patching — organizations in the education, local government, and SMB sectors.
One vendor recently claimed it detected a 57% increase in ransomware attacks over the start of 2021, while at the same time seeing Exchange Server infections triple in just a week. Even the Hafnium state-sponsored group has been linked in new research to a ransomware group known as Hades.
Widespread Damage
This highlights just how ubiquitous ransomware has become these days. It can be seen as part of a trend whereby the lines between nation state and cybercrime attacks are growing blurred. One new report even claims that some governments are increasingly looking to cyber-attacks to generate revenue rather than geopolitical advantage. Ransomware would be the perfect low-risk, high reward way to do so.
Ransomware and phishing are now more popular than traditional data breaches.
It’s also increasingly favored by cyber-criminals. A December report from non-profit the Identity Theft Resource Center (ITRC) argued that ransomware and phishing are now more popular than traditional data breaches as they are easier to carry out. Why? Because they rely on poorly trained corporate users making common security mistakes, like easy-to-guess and reused passwords and unpatched endpoints.
Whatever the reason, ransomware is a number one threat to global organizations. Now that many groups also steal data as well as encrypt systems, there’s an even greater pressure on victims to pay up. The financial and reputational costs could include:
Cost of the ransom payment itself
Possible regulatory fines
Cost of IT incident response, investigation, and clean-up
Legal costs (especially if a breach is followed by a class action suit)
Ransomware attacks are certainly getting more targeted and sophisticated. But that doesn’t mean you can’t take steps to mitigate the risk to your organization. By understanding the common mistakes and security gaps that are exploited in such attacks, you can take action to ensure your organization is protected. Here are a few tips:
Patch vulnerabilities (like the Microsoft Exchange Server ones) promptly
Use multi-factor authentication (MFA) to secure remote desktop (RDP) servers and other corporate accounts
Train employees to better spot phishing attacks
Segment networks to limit the spread of any infection
Most importantly, don’t pay those seeking to harm your organization. Increasingly, mid-sized organizations are finding they can cover these costs through their cyber-insurance policies. But in so doing, they’re only perpetuating the problem. For ransomware to go away, we need to find a way to make it unprofitable for the bad guys. That means enhanced cybersecurity and a united front against extortion.
