How to patch Exchange Server for the Hafnium zero-day attack

Admins in many businesses report indicators of compromise from an Exchange zero-day vulnerability. Don't assume you're not a target. Investigate for signs of the attack and patch now.

zeroday software bug skull and crossbones security flaw exploited danger vulnerabilities by gwengoa
Gwengoat / Getty Images

Administrators who run on-premises Microsoft Exchange Server woke up on March 2 to a rude awakening: Some of them now have incidents to investigate. Starting on February 28 and possibly earlier, Exchange Servers were targeted in a widespread attack that relied on leveraging a zero-day server-side request forgery (SSRF) vulnerability. Microsoft has attributed the attack to Hafnium, a Chinese APT group.

While Microsoft originally indicated that this was a targeted attack against specific types of industries and businesses, I have reports from consultants for many small- to medium-sized businesses that have found evidence of exploitation.

Based on these reports, the attackers appear to have broadened their attack sequence once the zero-day became public. The White House confirmed this in its March 5 press briefing, and the US Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive with guidance and information about the attack on March 2.

Just because you aren’t normally a targeted business, take heed and investigate if you run an on-premises Exchange Server. If you have not patched, do so now. If you did patch, you may still need to take action to determine if you were impacted.

The attacks appear to have targeted more Exchange 2013 and 2016. This might be due to the number of servers that businesses have installed rather than targeting one version over another. Exchange 2019 is also at risk. Exchange 2010 does not have the same vulnerabilities as the other versions, but it is receiving patches as a defense-in-depth measure. Older versions of Exchange, while being out of support, are not vulnerable to this issue.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.