The Hafnium-attack: How cyber-AI detects 0-day exploits
Companies of all shapes and sizes are scrambling to patch their MS Exchange servers after Dubex, one of Denmark’s leading providers of managed security services, recently discovered (and shared with Microsoft) critical security vulnerabilities affecting MS Exchange Servers 2013, 2016, and 2019.
The Chinese hacker group Hafnium successfully exploited vulnerabilities (CVE 2021-26855, 2021-26857-58, 2021-27065, and 2021-27078) in thousands of MS Exchange servers and accessed companies’ emails, calendars, and internal networks. Although it is too early to estimate the damage, it is safe to say that the affected companies may end up paying millions of dollars.
In this article, we will explore AI-based strategies that empower security teams to avoid being blindsided by future 0-day exploits.
How did the hackers do it? (the short version)
Hafnium masqueraded their activities by using botnets, probably through the TOR network, to obtain United States IP addresses.
Their next challenge was to find a way into the target’s exchange server, which is often achieved by compromising a webpage on an application server.
The hacker may have used a malicious script along the lines of:
sudo amass enum -d | grep ‘mail\|owa\|vpn\|exchange’
Once a vulnerable exchange server is identified, the hacker would record and replay the encrypted web communication using a proxy server. If successful, the hacker instigating a SSRF (Server-Side Request Forgery) will obtain a webshell (enabling remote access to targeted servers) or simply copy and exfiltrate entire mailboxes.
AI-based counter measures
Even the most sophisticated hackers leave footprints in the network traffic. Regardless of the attack-phase, MUNINN cyber-AI detects the most subtle indicators of compromise.
In the reconnaissance phase, the hacker will use specific queries to find vulnerable exchange servers. The skilled hacker will know how to circumvent traditional, signature-based security tools, but will not be able to evade AI-based anomaly detection.
MUNINN cyber-AI autonomously learns normal network behaviors by capturing and analyzing all network packets (full packet capture) – also encrypted traffic.
Although MUNINN does not read the contents of the encrypted traffic, the hacker may reveal her or his presence on the network by carrying out anomalous activities, for instance connecting to services out of hours, accessing fileservers from unusual IP addresses, or initiating anomalous data transfers to unusual destinations.
Leveraging autonomous response
In subsequent attack stages, such as lateral movement, the hacker’s anomalous activities will become even more obvious in the network traffic. The hacker would typically start or stop processes, add files, or make changes to registry databases. All these network activities would trigger MUNINN-alerts.
In the final stages – exfiltration, corruption, and disruption – the hacker will attempt to copy and transfer mailboxes from the compromised Exchange server to an external host. Again, MUNINN will detect anomalous data transfers.
When enabled, FREKI-Prevent, The MUNINN Platform’s autonomous response solution, would step in block the hacker from completing the mission.
In the next blogpost, Wehowsky.com will take you through an anonymised case to demonstrate how MUNINN detected the Hafnium attack.