Illusive Blog March 12, 2021

Hafnium Nation-State Attack Shows Attackers Are Smarter Than Ever

By Jeff Barker
Active Defense, Advanced Persistent Threats, Hafnium, Microsoft Exchange, Nation-State Attacks

Microsoft recently acknowledged Hafnium has been targeting vulnerable Exchange servers, enabling operators to access email accounts and move laterally to establish additional beachheads for continued access to these environments. Before we dive into the details and recommend specific actions, lets take a step back and explore why attacks like this seem to be increasing in frequency and scope. A few months ago, at 18,000 customers, we were shocked with the scope of SolarWinds attack, and this attack could dwarf that number.

In February, Illusive hosted a webinar to examine the recent SolarWinds attack and panelist Admiral Mike Rogers (former NSA director) made an observation that stuck with me. He said he believes that two of our primary security operating assumptions are flawed – 1) attackers will use techniques we have seen before; and 2) attackers will behave in a way that is anomalous. I believe the flawed assumptions and an increasingly sophisticated adversary are inhibiting us from improving success rates at preventing attackers from operating undeterred inside environments for extended periods.

Getting back to the specific attack tactics, scope, and our response to the attack. We recommend that everyone follow Microsoft’s remediation guidelines to close the existing vulnerabilities. I am not going to review all the MITRE ATT&CK techniques observed in the attack and enumerate how Illusive could have helped you detect and prevent each. Knowing that the attacker used Procdump to dump Lsass memory (T1003.001) to then use Mimikatz to get credentials provides enough evidence that post-exploitation tactics include lateral movement to other parts of the environment, representing continued risk to the organization.

Currently, it is way too easy for attackers to harvest credentials, move laterally, and escalate privileges once they are inside. If an attacker is inside the network and using existing credentials, going where a user normally goes, when they normally go there, it is very difficult for anomaly-based detection systems to identify the behavior because it is seen as normal.

We recommend organizations plan and operate as if they have been compromised and the attacker is active in their environment. As with the SolarWinds attack, we recommend at-risk organizations would benefit from preparing for and executing a “shake the tree” lateral movement hygiene and detection exercise. For more information see our SolarWinds advisory.

“Shake the Tree” Exercise Process:

  1. Assess and improve credential and pathway hygiene.
  2. Ensure lateral movement detection strategy and required controls are functioning properly.
  3. Reset administrator credential passwords.
  4. Monitor lateral movement to spot attacker propagation in the environment.

Developing, and investing in, an Active Defense strategy to reduce the attack surface by preemptively cleaning up readily available credential and pathway information that is fuel for the attacker, then forcing detections by transforming endpoints into a network of deceptive stories, creates an environment that is hostile to attacker activities. It is time to change the game on the attackers.

As you analyze your exposure, be willing to accept there might be gaps in your security processes, controls, and assumptions that the adversary is exploiting. One notable example is recent blogs that describe how SolarWinds attackers disabled and bypassed endpoint security controls, including EDR. I am a bit surprised there’s not more discussion and makes me wonder. What else do the attackers know that we do not?

We are committed to providing insight into attacker tactics and techniques. Check out our upcoming ‘View from the Attacker’ campaign where we will provide an in-depth view into how an attacker thinks and operates.