HAFNIUM Is Tearing Through Exchange Servers, and You Need to Patch Right Now
Microsoft disclosed active exploitation of multiple Exchange Server zero-days by the HAFNIUM group, and admins everywhere are scrambling to patch.
If you run an on-premises Exchange Server, stop reading this in five minutes and go check your patch status. That’s the state of things two days after Microsoft disclosed that a group it’s calling HAFNIUM has been exploiting a chain of zero-day vulnerabilities in Exchange, including one tracked as CVE-2021-26855, to break into mail systems and steal data.
What’s actually happening
Microsoft attributes the activity to a China-linked group, and the attack pattern is nasty precisely because of how it works. The vulnerabilities let an attacker authenticate to an Exchange server as if they were on the local network, then chain that access into the ability to write arbitrary files to the server. In plain terms: attackers can plant web shells directly on the Exchange box, giving them a persistent backdoor that survives reboots and looks, to a casual glance, like it belongs there. From that foothold they can read mailboxes, exfiltrate data, and pivot further into the network.
This isn’t a theoretical bug bounty finding. Microsoft says it’s been actively exploited in the wild, and the early reports suggest the number of compromised organizations is already in the tens of thousands worldwide. That’s a big number for a vulnerability that was, until this week, unknown to defenders. It means a lot of servers had web shells sitting on them for some unknown window of time before anyone had a patch to apply, let alone applied it.
Why on-prem Exchange is such a juicy target
Exchange Server sits at the center of most corporate networks: it’s internet-facing (because people need to check mail from anywhere), it’s deeply trusted by everything else in the domain, and it’s historically been slow to patch because taking down mail for maintenance is disruptive. Combine “faces the internet” with “hard to take offline” and “extremely valuable data,” and you get exactly the kind of target that state-linked groups spend zero-days on rather than saving them for something else.
What to do if you run Exchange
Microsoft has pushed out emergency, out-of-band security updates for the affected versions and is telling every Exchange admin, in the strongest possible terms, to apply them immediately, regardless of your normal patch cycle. If you can’t patch immediately for some reason, look into interim mitigations Microsoft has published, and start hunting for signs of compromise: unfamiliar files in Exchange web directories, unusual process activity from Exchange-related services, and any web shells that might already be sitting on your server. Given the scale of exploitation already reported, “wait and see” isn’t a defensible posture here — assume you may already be a target even if you haven’t seen anything unusual yet.
The bigger question hanging over this is how long the exploitation window was open before disclosure, and how many organizations are only now discovering they’ve had an uninvited guest reading their email for weeks. I don’t have a firm answer to that today, and I’d be cautious of anyone who claims they do this early. What is clear is that this is shaping up to be one of the more serious enterprise security stories of the year, and it’s only March.