Penetration Testing Experts


While the cybersecurity industry was still coming to terms with the size and the sheer audacity of the Solarwinds hack, another damaging hack was brewing that is generating shockwaves all around the world.

It began on the second of March when Microsoft discovered a vulnerability in its email servers which had given hackers the opportunity to infiltrate systems and in the process, compromise thousands of servers around the world with malware.

CBS News quoted the former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Kebs after he tweeted “This is a crazy huge hack.”, and the BBC concurred, noting that ‘Hundreds of UK companies have been compromised’

Microsoft took immediate steps to name the primary actor behind the attacks as a Chinese-based group known as “Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.”

The attack was slightly unusual in that the attackers were not targeting any specific organisations. Instead, they were going for volume and were trying to compromise anything that looks vulnerable. That vulnerability is massive because no unpatched systems are off-limits. This reinforces the idea that the primary goal of the hack is to sow chaos and disrupt global networks.


In a long, carefully worded blog post, Microsoft explained how the attack happened. “The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”

Microsoft is fully aware of how damaging this hack could be to their reputation, and they are determined to wrestle back control from the hackers. In the three weeks since the hack was discovered, they have put out multiple patches, updates and mitigation tools for customers who do not have dedicated security or IT teams to aid them.

In their own words, Microsoft says “Successful response should consist of the following steps:

  1. Deploy updates to affected Exchange Servers.
  1. Investigate for exploitation or indicators of persistence.
  1. Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.

Microsoft recommends that you update and investigate in parallel, but if you must prioritize one, prioritize updating and mitigation of the vulnerability.”


One of the biggest dangers of this particular hack is that it does not only benefit Hafnium, instead, it opens the door for any potential hackers to start sniffing around, and the BBC claims that “as many as 10 different hacking groups are now actively using the zero-day exploits to target companies in 115 different countries.”

Once again, the importance of world-class security support is clearly illustrated by this hack., and the repercussions of being targeted are instantaneous and, frequently, devastating.

No matter how powerful, nobody seems to be safe from these shady forces of chaos. This is the eighth time in twelve months that Microsoft has been forced to publicly disclose that nation-state groups are targeting institutions critical to civil society.

With remote work and shared cloud servers so much a part of our working life today, it’s incredibly risky to work without the safety net of a dedicated cybersecurity partner. No company can expect to keep up with the number of threats proliferating on the web.

Get in touch with 2|Sec today and discover the peace of mind that comes from having professional cybersecurity on your side.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top