An Unauthorized Exchange - From Targeted Espionage to a Global Cyber Pandemic
While many organizations—and the information security community as a whole—were still reeling from the impact of the the SolarWinds Orion breach, another catastrophic event was already underway. In early January 2021, a Chinese APT actor was taking aim at organizations running Microsoft Exchange with a critical zero-day exploit that allowed them to download e-mails at will. As bad that sounds, it was actually just the beginning. The initial flaw would soon be combined with other zero-day exploits to allow full remote code execution on Exchange servers around world. This talk will review Volexity’s initial discovery of the main vulnerability that allowed these events to happen, and the actions of the threat actor known as Hafnium. It will cover the initial stealthy activities of the group; the later targeted exploitation and lateral movement; and the resulting widespread exploitation that compromised tens of thousands of servers around the world.