The MS Exchange Hack [ML B-Side]

Israel Barack, Cybereason's CISO and an expert on cyber-warfare, on the recent MS Exchange hack that hit thousands of organizations worldwide: what happened, what were the vulnerabilities exploited in the attack - and what can we do to defend against such attacks in the future.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Israel Barak

CISO at Cybereason

Israel Barak, Cybereason’s CISO, is a cyber defense and warfare expert, with extensive background working for the government where he established and operated various cyber warfare teams. Israel spent years training, guiding and professionally mentoring new personnel, providing in-depth cyber expertise as it relates to cyber warfare, cyber security, and threat actor’s tactics and procedures. Israel is also a regular speaker at leading cyber security industry conferences and events.

Episode Transcript:

Transcription edited by Dario Princip

[Ran] Hi, and welcome to Cybereason’s Malicious Life B-sides.
As you’re probably well aware, most episodes of Malicious Life are narrative and story-driven. It’s a great format which I think is the best way to communicate complicated technical topics, but on the downside, it makes it hard for us to respond to current and ongoing events because it takes time to research and write a good story. This downside became much more apparent in the last few months due to the SolarWinds attack which made waves all over the information security world, and now the MS Exchange hack, both of which affected tens of thousands of organizations all over the world. To tackle this challenge, we’re bringing back a secondary format we used to have on Malicious Life called B-sides.
These are short, interview-based episodes in between the longer, story-driven episodes of the show, which will revolve around topics and ideas we find hard to incorporate into our regular episodes. So for our first B-side, we’re happy to have with us a regular contributor to the show, Israel Barak, Cybereason’s CISO and a cyber defense and warfare expert, to talk about the hottest topic in cybersecurity right now, the MS Exchange hack by Hafnium, a Chinese state-sponsored APT.
Nate Nelson, our senior producer, talked with Israel about the attack itself, the zero-day vulnerabilities that allowed the hackers to infiltrate the networks of so many organizations, and the probable fallout from this event. Nate, take it from here, and I’ll see you on the other side of the interview.

[Nate] Israel what is the story we will be talking today.

[Israel] So we’re going to be talking about the Hafnium attack, where at least 30,000 organizations across the United States and hundreds of thousands of organizations across the world, including, I think a significant number of small businesses, towns, cities, and local governments, have over the past couple of months been hacked by an unusually aggressive Chinese cyber espionage organization that’s focused on stealing email from victim organizations.
Now the espionage group is exploiting four newly discovered flaws in Microsoft Exchange server email software, and has deployed in hundreds of thousands of victim organizations worldwide tools that give the attackers basically total remote control over the affected sites, systems, and while the United States was the most targeted country, we also see right after the United States a very high amount of victims in Germany, the UK, the Netherlands, and Russia.
From a timeline perspective, just to give a quick note on that, a company called the Volexity based out of Western Virginia, reported first seeing the attackers sort of quietly exploiting the Exchange server bugs on January 3rd of 2021, and around February 26th, that narrow operation turned into something much bigger and much more chaotic, I would say, as the threat actor chose to use the attack on a very, very large scale and practically on almost every vulnerable system they could find that was connected to the internet across the world.
On March 2, March 2nd, almost two months later, and after hundreds of thousands of organizations were impacted, Microsoft released an emergency security update to basically plug these four security holes in Exchange server versions 2013 through 2019 that hackers were actively using to exfiltrate or essentially steal email communications from these internet facing systems that were running Exchange.

[Nate] So let’s rewind a bit. Just firstly, what is Microsoft Exchange and why might it be an attractive target for hackers?

[Israel] So Microsoft Exchange email server is an online collaboration platform for enterprises that’s meant to send, receive, and store email, calendar, and related information. It’s used by organizations in private as well as government sector across the world. I would say everything within Outlook or the Outlook email client goes through the Exchange server in general.
Now, very often organizations connect their Exchange email servers to the internet. The reason is they want to allow remote users to connect to the email service while they’re not in the office. That actually throws as a great point of entry for the attackers that were able to find vulnerable Exchange servers all over the internet and use them as their initial access vectors into so many organizations networks. Now when you compromise an Exchange server that holds multiple benefits for an attacker, I think the most direct benefit obviously is the ability to have complete access to the organization’s email traffic. That obviously allows the attacker to tap into a very valuable source of confidential information but can also allow the attacker to do other things like sending emails on behalf of people within the compromised organization. That can serve as a great way to spread within a network or spread into other organizations via email.
Another potential benefit for compromising an email system is for the purpose of extortion via ransomware. Basically, by encrypting the data in the email system and you impact any email information that’s not backed up and that can be a lot of significant data.

[Nate] So there were four vulnerabilities involved in this attack. Could you describe them, how the attackers leveraged them and why four were necessary in the first place?

[Israel] We know that at least four different vulnerabilities were used by the threat actor in the attack and they’re effective against Microsoft Exchange server versions 2013, 2016, and 2019. And the first vulnerability allow the attacker to gain authenticated access to the Exchange server, which means that it will cause the Exchange server to identify the attack or attacker as the legitimate activity or as a legitimate user that is permitted to perform actions on the server. That was the first one.
The other three vulnerabilities basically allow the attacker to use that authenticated access to write files into any location on the Exchange server and run code on the server with the highest Windows local permissions and the attacker leveraged that to deploy a web shell, which is a capability that allows them to have persistent remote access to the compromised server and really perform any action they desire on it to impact the confidentiality, integrity and availability on the server itself and in its network environment.
Now we know that hundreds of thousands of organizations were breached and the attacker performed several automated steps to make sure that they stay persistent in the organization. In some of the impacted organizations, the threat actor actually took continued action with hands-on keyboard operations aimed to steal data, but in many of these impacted organizations, the web shell is actually still waiting for the threat actor to come in and carry out their mission. In multiple cases, the threat actor used that access to not only steal massive amounts of email information, but also to access Windows account credentials that were on the compromised Exchange server to facilitate lateral movement in the environment, as well as secondary breaches that allow the threat actor to further spread in the victim’s network so that they’re able to gain access to additional data as well as stay persistent and active in the network even after the Exchange server is patched and the initial access vector is closed.

[Nate] Is there anything else that’s important to know about the technical side of this attack?

[Israel] One thing that might be interesting about the technical aspects of the attack is the fact that it basically serves as a great starting point for other attackers. The web shell or the tool basically that was deployed by Hafnium became something that other threat actors started using as well to facilitate their own attacks. I think that might be an interesting aspect of this particular situation.

[Nate] I might be missing something here.
How is it that a web shell planted by Hafnium would be known to other attackers? Are you talking about attackers who are specifically working with Hafnium or just any attackers anywhere?

[Israel] The interesting thing in this incident is that in each and every one of those breached organizations, those compromised Exchange servers, the intruders left behind this sort of web shell, this sort of easy to use hacking tool that can be accessed over the internet from any browser and that web shell gives the attackers administrative access to the victim’s computer servers. The web shell was built with minimal protection so basically even if you’re not the original threat actor, if you knew that it was there on the server, you could actually use it to gain privileged access into that organization.
Now we don’t know exactly how it became apparent to other threat actors that Hafnium deployed that web shell across a wide variety of organizations and their Exchange servers, whether the information was deliberately shared with other threat actors, whether it was shared via the underground network forums, whether it was accidentally exposed to other threat actors. But what we do know is that sure enough, a wide variety of other threat actors, both state-sponsored and non-state-sponsored, started using or started scanning for that web shell and from the moment it became clear to them that it was there, and that was around February 26, we saw a huge spike in the amount of attacks on internet-connected Exchange servers and secondary attacks that were using that web shell that basically became a free-for-all meal with dozens of hacking groups that started exploiting this web shell and that really dramatically amplified the impact of the attack and that led to those numbers of hundreds of thousands of impacted organizations across over a hundred countries. Some of these threat actors have essentially been using this open door into organizations network to not just steal data, but also to deploy ransomware, for example, in the Deer Cry case.

[Nate] So now that you’ve described the bones of the attack, could we drill it down to a more specific example, maybe a specific case study of a company that was attacked? Just give people a real sense of what this looks like on the ground and the consequences for the particular targets.

[Israel] Yes. We can really take a look at the procedure that the Hafnium group used when they compromised those vulnerable Exchange servers. The first thing that they did, and we talked about this briefly, is dropping that web shell on the compromised Exchange server, which allowed that threat actor to maintain persistence and maintain a long-term access to that server.
Basically whenever they desire, the threat actor can choose to come in, connect to the compromised server, and perform actions on it. After the threat actor drops that web shell at the beginning of the incident, they basically perform a number of automated steps. They can start getting immediate value from the attack and not wait for the human attacker to come in.
Now, these automated steps include basically three automated actions. First is to dump the LSAS process memory on the compromised Exchange server. That process basically contains user account credentials and encryption keys that are protected by the operating system, and accessing that data basically allows the attacker to decrypt information that is protected by the operating system and use the stolen user account credentials to move laterally in the network and facilitate secondary breaches.
The next step after dumping the LSAS process memory is to automatically collect, basically steal, the information that is in the Exchange mailboxes. The attacker basically exports all the data automatically that is in the organizations email and the Exchange address book that contains information about the organization and its users.
Then as a third step, the threat actor basically automatically takes all that huge trove of data, the entire information that was in the Exchange email server mailboxes, and just exfiltrate it out into the attacker’s hands. At that point, the threat actor basically already collected a huge amount of email information from the organizations that were breached, and they can now operate in parallel tracks. On one track, they basically provide all that stolen information for analysis, and on a separate track, they leverage that initial access point in the web shell to continue with a deeper attack on specific victims that they see higher value in.

[Nate] One of the things that’s been kind of nagging at me this whole conversation is that there were four vulnerabilities. We talked about them, but that’s just so much considering that they were all zero days. On this podcast, we’ve talked about a lot of hacks, and when we do, we try to emphasize that zero days are very rare. They’re difficult to find. You don’t just stumble upon them. How is it possible that these attackers manage to find four?

[Israel] There are a couple of different ways to identify vulnerabilities in products like Microsoft Exchange or in software products. Option number one is to leverage access to the source code. From the moment you have access to the source code, it becomes a lot easier to identify areas within the source code that expose the product to vulnerabilities that don’t sanitize input properly. They don’t implement sufficient security procedures or validation procedures. They don’t adhere to security best practices. From the moment you have access to the source code, by no means I do not mean to link these particular vulnerabilities to reported breaches into Microsoft’s network that resulted in theft of some of the source code. But access to the source code of a product can make the effort significantly easier for an attacker.
Another option in lieu of source code is to reverse engineer the product. Basically put the product in a lab and try to understand how it works. Basically get as close as possible to a source code without actually having the source code. Once you have a good understanding or a good enough understanding of what the code would look like following a reverse engineering procedure, you can then go back and try to analyze and find those areas where security vulnerabilities exist and then understand how to take advantage of these vulnerabilities.
A third option, and there are certainly some additional ones, but a third popular option is to try to identify unexpected behaviors that a product exhibits when provided with specific and specially crafted input. The procedure is often called fuzzing where an attacker or a security researcher for that matter would put a product in a lab and provide it with a wide variety of specially crafted inputs in this declared case authentication request and try to identify how the product behaves and if it exhibits any unexpected behaviors or states when provided with that specially crafted input and then identify the potential of these unexpected behaviors as part of an attack.

[Nate] Now let’s get into attribution. What do we know about Hafnium?

[Israel] The attack was attributed by Microsoft to a group Hafnium, which is believed to be a Chinese state-sponsored group. According to Microsoft, historically Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutes, defense contractors, policy think tanks, and NGOs, and their primary objective historically has been data theft.
We know that, at least based on that type of attribution, that the group is most likely a state-sponsored, capable, and well-financed group.

[Nate] What’s been the fallout from all of this, both from the cybersecurity community but also the business community?

[Israel] By all signs, I think rooting out these attackers is going to require an unprecedented cleanup effort. I think we should all be worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
From a government response perspective, and I think we need to remember that this attack comes on the heels of the separate SolarWinds attack, which is by itself still very much an ongoing situation in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations worldwide.
In both cases, I think while the White House and other governments weigh a response, the risk grows. The administrations are slowly dealing with the sophisticated espionage of SolarWinds, but the chaos of the Hafnium attack, I think, presents a different challenge entirely, both in fixing the problem and responding to the hackers behind it.

[Nate] It was only just a couple of months ago when we were coming off the SolarWinds attack. In a lot of ways, as you describe this attack, I do see that there are some parallels.
It’s a foreign state-sponsored actor leaving these little traps in many companies systems that could then be leveraged and are really hard to excise. In what ways do you think these two major cyber events are similar, that it may be useful to compare? Or put another way, what can we learn from the fact that these two hacks just occurred in such close succession?
What does it say about the cybersecurity world more generally?

[Israel] I think first and foremost is the realization that as an industry, we really need to step up our abilities to detect and respond to threats that we haven’t seen before and really become more proactive. I think many organizations still operate under the assumption that traditional hardening, anti-malware, can sufficiently reduce their attack surface. We can see time and time again, and we just had really two glaring examples that you mentioned SolarWinds and Hafnium, that this approach is proven wrong.
I think many of the impacted organizations in this incident weren’t targeted specifically. They were impacted by ransomware or data theft as part of a collateral damage. When you think about the context of Hafnium and SolarWinds, I think Hafnium is the second time in a very short period of time that we see that relying on threat intelligence alone isn’t really helpful when it comes to more sophisticated attacks, just like the SolarWinds or the Hafnium actor basically operated for months and impacted an unprecedented number of organizations across the globe with completely no indication from commercial threat intel sources.
I think the approach that we need to consider and has been proving itself successful in time and time again against these threats is adopting strong behavior analytics that can detect and automatically reduce the response time of abnormal system behaviors in an enterprise environment, whether it be EDR or NDR or XDR. I think we need to get better at adopting a proactive mindset in architecture and tool set at scale that can help mitigate the risk of these more advanced threats.

[Ran] That’s it for this episode. Thank you for listening. As usual, our website is where you’ll find all of our past episodes, plus full transcripts. We’re also on Twitter at @MaliciousLife and @RanLevi, that’s @ R-A-N-L-E-V-I, and my email address is
Cybereason’s Malicious Life is produced by PI Media. Nate Nelson is our senior producer, sound design by Ben-or Habari. Thanks to Cybereason for underwriting the podcast.
Learn more at
Bye Bye