The vulnerabilities have now been published; the BSI has been warning about the vulnerabilities, which are rated at threat level 4 ‘Very High’, since March 3.
What to do?
We recommend the following 8 steps to our customers:
1. Inform the company management about the severeness of the attacks and the possible consequences.
2. Check the update status on your systems or bring your systems up to the latest status. This is a prerequisite for all further activities.
3. Promptly use the two check routines from Microsoft to see if you have been attacked. Please ensure that your employees have the necessary access and execution rights to do this.
4. Promptly disconnect your systems from the Internet if the two check routines show that the vulnerabilities have been exploited at your end, i.e. that you have been successfully attacked. You must assume that backdoors have been installed in your systems since January, which could and can be exploited at will since then without you noticing.
5. In parallel, completely rebuild your Exchange server(s) and apply the latest backup. Connect this (these) server(s) to the Internet and start the usual operation. This way you will achieve the smallest possible downtime.
6. Check the Internet traffic for suspicious activities such as unauthorized communication. Disconnect IT systems from the Internet immediately if suspicious activity is detected.
7. Forensic investigations:
- Forensically examine Exchange servers for further signs of attack.
- Examine all IT systems that were connected to the Exchange servers on the intranet for suspicious activity – especially backdoors.
8. We are aware that shut down can result in considerable costs and possibly claims for damages – but have come to the conclusion that only shutting down can prevent manipulation of data and software (sabotage) and copying of data and software (espionage). Inform customers, partners and employees about this step and explain it. Be prepared to discuss these measures and keep your management informed. The attackers are not the still-corrupted pupils and students, but companies with 20 to more than 100 proven experts; there are more than 200 of these types of companies worldwide.
Patching (indispensable!) does not end the attack if backdoors have been installed.
The fact that the Chinese company Hafnium seems to be one of the attackers is irrelevant. However, the fact that the attacks are program-controlled (automated) increases the probability of being one of the victims.