Mitigation and Patching for HAFNIUM

Share on linkedin
Share on twitter
Share on facebook

If you are operating on-premises Exchange Servers, then you will be aware of the recent HAFNUIM campaign to exploit vulnerabilities in internet-facing servers. Microsoft is strongly urging customers to immediately update their on-premises Exchange Server systems.

Excerpt from ‘HAFNIUM targeting Exchange Servers with 0-day exploits

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed by the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server.

This article outlines the steps to detect and mitigate the exploit, then patch the servers using the latest Cumulative Updates (CU).

The scripts and activities outlined in this article are only for the following supported versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Note: Microsoft did release a Defense in Depth Update for Exchange Server 2010 which can be found here. Many of the principles and best practices in this document can be applied when updating Exchange Server 2010

PREPARATION AND PRE-CHECKS

There is an old military adage which states, “Proper Preparation Prevents Poor Performance”. Preparation is essential to minimize risk. It is advisable you review and/ or enact each preparation or pre-check item before executing the mitigation and upgrade activities.

1. EXCHANGE SUPPORTABILITY MATRIX

Refer to the ‘Exchange Server supportability matrix’ to locate information about the level of support available for any configuration or required component for supported versions of Microsoft Exchange Server.

Key components which should be closely investigated are:

  • Supported operating system platforms
  • Supported Active Directory environments
  • Microsoft .NET Framework

Important!  Many clients may be running outdated Exchange Server Cumulative Updates and .NET Framework Versions. Microsoft displays the following disclaimer regarding the upgrade from outdated CUs that are using older .NET versions. If you’re upgrading Exchange Server from an unsupported CU to the current CU and no intermediate CUs are available, you should first upgrade to the latest version of .NET which is supported by your version of Exchange Server and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft makes no claim an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services.

1.1 BACKUP

Please ensure you have a recently tested, reliable and working full backup of both Active Directory and the Exchange Server(s).

1.2 MICROSOFT ARTICLE – ‘UPGRADE EXCHANGE TO THE LATEST CUMULATIVE UPDATE’

Review Microsoft’s documented recommendations and instructions for upgrading Exchange Server to the latest CU in the article, ‘Upgrade Exchange to the latest Cumulative Update’.

Key sections and instructions which should be closely investigated include:

  • What do you need to know before you begin?
    • The account you will use to install the CU requires membership in the Exchange Organization Management role group. If the CU requires Active Directory schema updates or domain preparation, the account will likely require additional permissions
    • Check the Release notes before you install the CU
    • Backup all customizations. They will not survive the update (e.g., web.config files, EdgeTransport.exe.config file, OWA theme customizations)
  • Best Practices

1.3 WINDOWS POWERSHELL SCRIPT EXECUTION POLICY

Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted on the server(s) being updated.

To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded.

If the server is subject to a GPO which controls the Windows PowerShell Script Execution Policy, refer to the Microsoft article ‘ExecutionPolicy GPO is defined‘ to temporarily remove any definition of MachinePolicy or UserPolicy in the ExecutionPolicy GPO.

1.4 DISABLE ANTIVIRUS SOFTWARE

Temporarily disable any anti-virus software prior to the update process.

1.5 WINDOWS EVENT LOGS

Check Windows Event Logs for any Warning or Errors which may need to be addressed prior to conducting any change activities on the server(s).

Check Exchange-specific crimson channel event logs located under Applications and Services for any Warning or Errors that may need to be addressed prior to conducting any change activities on the server(s).

1.6 ACTIVE DIRECTORY HEALTH

Ensure Active Directory is healthy before conducting any change activities. This may include:

  • Review Domain Controller Event Logs
  • Inventory the FSMO roles
    • DCDIAG /test:FSMOCHECK
    • netdom query FSMO
  • Validate Forest wide replication
    • repadmin /replsum /bysrc /bydest /sort:delta

1.7 SPARE HARDWARE

Verify whether you have spare hardware (or enough resources in a Virtual environment) for the RecoverServer process in the event the installation will not complete successfully, and the server is in a state which cannot be reverted.

2. DOWNLOADS

Download the following scripts and software which will either be executed against or installed on the Exchange server(s).

3. UPGRADE ORDER OF PRECENDENCE

Install the updates in the following order based on server role.

  1. Exchange Client Access servers exposed and published to the Internet (e.g., servers publishing Outlook on the web, OWA and ECP)
  2. Internal Client Access Servers
  3. Hub Transport Servers
  4. Mailbox Servers
    • a. If Mailbox Servers in a Database Availability Group (DAG) configuration
      • i. Passive Mailbox Servers
      • ii. Active Mailbox Servers

4. DETECTION AND REMEDIATION PROCEDURE

The following procedure is represented more as a checklist of activities to be completed and does not provide step-by-step instructions for each activity being performed. Please refer to the Microsoft-specific documentation for step-by-step instructions for execution.

Important! Please be sure to execute all scripts and apply all updates from an elevated command prompt (Start a Command Prompt as an Administrator). Although the scripts and updates may appear to run successfully when executing from a non-elevated command prompt, some services may not start, or certain settings may not be applied properly.

4.1 EXECUTE HEALTHCHECKER SCRIPT

Run the HealthChecker Script to get an inventory of the update-level status of the on-premises Exchange server(s)

4.2 ONE-CLICK MICROSOFT EXCHANGE ON-PREMISES MITIGATION TOOL

Run the One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT.ps1) to detect, protect and mitigate CVE-2021-26855

4.3 TEST-PROXYLOGON SCRIPT

Run Test-ProxyLogon.ps1 script to check for HAFNIUM indicators of compromise (IOCs) to address performance and memory concerns.

5. UPGRADE PROCEDURE

The following procedure is represented more as a checklist of activities to be completed and does not provide step-by-step instructions for each activity being performed. Please refer to the Microsoft-specific documentation for step-by-step instructions for execution.

Important! Please be sure to execute all scripts and apply all updates from an elevated command prompt (Start a Command Prompt as an Administrator). Although the scripts and updates may appear to run successfully when executing from a non-elevated command prompt, some services may not start, or certain settings may not be applied properly.

5.1 PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE SERVER

Although the CU may not require a Schema update, it is best practice to execute the preparation commands to confirm no errors and ensure a proper and consistent configuration. Refer to the Microsoft article ‘Prepare Active Directory and domains for Exchange Server’ for the proper procedure.

Execute each preparation command individually. Check AD Replication after each switch is run.

  • /PrepareSchema
  • /PrepareAD
  • /PrepareAllDomains or /PrepareDomain[:<DomainFQDN>]

5.2 DAG SERVER – START MAINTENANCE MODE

If the Exchange Server is a member of a DAG, you should first put the DAG member in maintenance mode.

Refer to the Microsoft article ‘Performing maintenance on DAG members’ for the proper procedure.

5.3 REBOOT SERVER

Reboot server prior to installing software updates to ensure no reboots are pending or any prior updates applied.

5.4 .NET INSTALL

Install the correct new .Net version.

Note: Keep in mind this step can take up to 40 minutes or longer, therefore do not stop the installation and keep waiting until it ends successfully.

Important! After the .Net installation completes, reboot the server.

5.5 CU INSTALL

Install the Cumulative Update for Exchange.

Important! After the CU installation completes, reboot the server.

Perform post-install integrity checking and updates, which includes:

  • Ensure all Exchange services are in their normal start Mode and started
  • Review Event Logs
  • Re-apply customizations

If you run into issues after installation, please see ‘Repair failed installations of Exchange Cumulative and Security updates’ for resolution instructions.

5.6 DAG SERVER – STOP MAINTENANCE MODE

If the Exchange Server is a member of a DAG and was placed in maintenance mode, take the DAG member out of maintenance mode.

Refer to the Microsoft article ‘Performing maintenance on DAG members’ for the proper procedure.

5.7 VERIFY

Verify full functionality of server and any dependency applications connecting to Exchange (Backup, Archiving, Monitoring, Mail Relay, etc.)

5.8 BACKUP

Initiate a full backup of both the Active Directory and the Exchange Server(s).

REFERENCES

HAFNIUM targeting Exchange Servers with 0-day exploits

Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 16, 2021

02 March 2021 – Exchange Server Security Update – Updated March 17, 2021

Released: March 2021 Quarterly Exchange Updates – Updated March 16, 2021

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?