"Share today, save tomorrow"

On the 2nd of March, news broke regarding the active exploitation of multiple 0-day Microsoft Exchange vulnerabilities.

This exploit was attributed to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

AusCERT’s first foray into communicating this breaking news to its members began with a simple re-Tweet of the active exploitation advisory from Volexity, a security firm based in Reston, Virginia USA.

This was quickly followed by a security bulletin alert on that very same day and the sharing of multiple articles through our ADIR; the AusCERT Daily Intelligence Report, a daily summary of curated infosec news which we email to subscribers by close of business, Monday to Thursday.

We also monitored and facilitated a number of discussions on our member Slack channel and relayed all relevant information to our members as relevant.

Following the release of our security bulletin alert, our team of analysts acted quickly and conducted a Shodan scan to determine the effects of this exploit within our AusCERT member constituency. This particular service within AusCERT’s suite of membership service offerings is known as the MSINs.

Member Security Incident Notifications (MSINs) are relevant and customised security reports containing notifications for organisations’ domains and IP ranges.

AusCERT MSINs are customised for each of our member organisations, based on their supplied IPs and domains and our members benefit from AusCERT’s considerably large overseas and local threat intelligence feeds with respect to incidents that have been detected by other parties but concern our members.

Details from the Shodan scan conducted above were shared with affected members, alongside the offer of further assistance with interpreting the results as well as all relevant next steps for members to patch their systems and check for compromise.

As the days and weeks progressed, it became clear to AusCERT that these vulnerabilities and exploits continued to evolve.

By this stage, the vulnerability was better known as the ProxyLogon exploit. The associated AusCERT security bulletin for example, is currently in its fifth iteration and since then, the team has also produced a blog titled “Patching for HAFNIUM* is just half of the story.”

_{^{* HAFNIUM refers to a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)}}

On the 12th of March, the ACSC, Australia’s Government lead agency for cyber security issued a high alert advisory to members of the Australian public which lended a much needed weight to the public awareness of the severity of this exploit.

It is at this juncture that we’d like to acknowledge and thank our colleagues from The Shadowserver Foundation team for releasing nine special reports pertaining to this incident as part of their “Shadowserver Special Reports – Exchange Scanning” series.

On the very same day as the aforementioned ACSC high alert advisory, Shadowserver distributed their first installment of their special report series to 120 National CSIRTs across 148 countries and over 5900 network owners; a network that AusCERT is proud to be a part of, containing potential victim information believed to be related to the HAFNIUM Microsoft Exchange Server exploits.

And with this, our team of analysts conducted further analyses and reached out to all of our affected members each time a detailed report came through via this nine-part series from Shadowserver. These emails to our affected members contained specific details and additional remediation advice on top of the standard patching and mitigation steps.

At the time of the writing of this article, Microsoft has claimed that of a total of 400,000 Exchange email servers deployed on-premises across the world, around 30,000 are still vulnerable to attacks associated with the ProxyLogon exploits.

Let it be noted that until there are no more indicators being published and shared by the various cyber threat intelligence agencies within our sector, it is important to remain vigilant.

We hope that by sharing our experience in dealing with this wide-scale, highly publicised cyber security exploit, we will be able to encourage organisations to be proactive with their cyber security posture - “share today, save tomorrow.”

As a not-for-profit organisation, AusCERT is passionate about engaging with members to empower their people, capabilities and capacities and helping them prevent, detect, respond and mitigate cyber-based attacks.

This story was first published in the Women in Security magazine (Edition 2, 2021). To subscribe, please visit womeninsecuritymagazine.com