Client Update – MS Exchange Server Mass-Hack


By: John Ghose

In March 2021, government and private sector sources estimated that 30,000 U.S. organizations, and 100,000 organizations worldwide, were hacked by a Chinese state-sponsored group known as Hafnium.  The mass-hack exploited previously unknown “zero-day” vulnerabilities of Microsoft Exchange on-premises products as far back as January 6, 2021. (You can read more about this vulnerability in our prior post here.)  Since then, FMG’s cyber attorneys have worked on numerous MS Exchange matters and helped clients with their investigations of and responses to these incidents.  This client update provides initial reporting on what we have learned about this massive cybersecurity event.

The good news is that, from what we have seen initially, the threat actors exploiting the MS Exchange vulnerabilities have mostly probed without accessing or exfiltrating data. There are exceptions, of course, but in most cases our forensic partners have found China Chopper web shells – malicious interfaces that enable remote access and control to a web server – installed on affected systems, but have not found correlating system activities indicating access to or acquisition of data.  A likely explanation for this result is that the state-sponsored hackers were checking to see if the web shells were present and accessible, but had not yet performed additional activities by the time clients responded to the vulnerability. 

That said, organizations should remain vigilant.  Cybersecurity researchers believe that, when Microsoft reported the vulnerability, with attack details and patching instructions, non-state-sponsored hackers reverse engineered the patch to discover and exploit the vulnerabilities on unpatched systems.  Indeed, several weeks after the MS Exchange vulnerability was discovered, tens of thousands of affected systems remained unpatched.  Although the FBI recently conducted an unusual operation whereby it got court approval to issue commands forcing removal of these malicious web shells, systems that remain unpatched are still vulnerable to re-installation and exploitation.  There also is a new, albeit crude, strain of ransomware – DearCry – being used to exploit the MS Exchange vulnerability, which you can read about here

Based on past experience with zero-day vulnerabilities, we believe it could be six to eight months before experts truly understand the full impact of the MS Exchange vulnerability.  In the meantime, if you need assistance with this or other cybersecurity or incident response matters, please contact one of FMG’s Data Security, Privacy & Technology attorneys.