BitSight Observations Into the HAFNIUM Attacks: Part One

Luis Grangeia & Paulo Pacheco | March 9, 2021 | tag: data breach

On March 2, Microsoft announced that it has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. According to Microsoft, in the attacks observed, cybersecurity threat actors used this vulnerability to access on-premises Exchange servers, which enabled access to email accounts, and installed additional malware to facilitate long-term access to victim environments.

Since Microsoft’s announcement, the Department of Homeland Security has issued an emergency alert for federal agencies to take emergency actions to combat these cybersecurity threats. 

Shortly after Microsoft’s announcement, BitSight observed at least 30,000 global organizations potentially vulnerable to exploitation. BitSight examined the prevalence of organizations running Microsoft Exchange Server by sector, finding that the Government sector has the highest prevalence of Microsoft Exchange among all sectors:


 

BitSight also examined the prevalence of potentially vulnerable organizations running Microsoft Exchange Server by country, finding that the highest concentration of organizations is within the United States (29%), Germany (13%), UK (8.5%), Canada (5%), France (5%), Netherlands (4%), Italy (4%), Switzerland (4%), Austria (3.5%) and Australia (3%).

 

This is a notable attack. MS Exchange is extremely popular software and the fact that a state-sponsored actor may be involved presents significant cybersecurity threat risk. Furthermore, with most of these types of severe vulnerabilities, a patching and remediation process is able to take place prior to weaponization; in this case, systems cannot be remediated that have already been exploited.

Organizations are seeking to determine if they or their vendors may be utilizing vulnerable versions of Microsoft Exchange Server in order to understand their cybersecurity threat exposure. BitSight is currently showing data of potentially vulnerable exchange servers in the vulnerability catalog. Customers can search for any of the Exchange CVEs in the attack chain, by searching for any of the CVEs:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

BitSight will continue to update this research with additional telemetry. Please reach out to BitSight if you have specific questions about the impact of this incident to your vendor ecosystem.

New call-to-action

ctab-img-1@2x

CISOs have a tough job.

How can they gain buy-in to improve security program effectiveness?

Read The Guide

Suggested Posts

BitSight Observations Into the HAFNIUM Attacks: Part One

On March 2, Microsoft announced that it has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. According to Microsoft, in the attacks observed, cybersecurity threat actors used this...

READ MORE »

The 2020 Verizon DBIR: If Nothing Changes, Then Nothing Changes

This week the 13th edition of the Verizon Data Breach Investigations Report (DBIR) was released, which is usually a hallmark event of the cybersecurity world. As we have been in previous years, BitSight is proud to be a data contributor to...

READ MORE »

5 Examples Of Sensitive Data Hackers Look For

As a security professional navigating the new challenges 2020 is bringing to cybersecurity, it’s critical to understand the ways your organization’s data could be exposed. Sensitive data is critical, safeguarded information. Different...

READ MORE »

Subscribe to get security news and updates in your inbox.