A United States county government mail server was hijacked by threat actors (TA), which sent thousands of malicious emails to major state offices and county governments. The TA, known as Hafnium, targeted exchange servers with a web shell — malicious code or script — focused on unpatched, on-prem servers. The attack vector was used for several months before BinaryResponse was contacted for this specific case. Our engineers have responded frequently to this type of tactic and malware sophistication.
BinaryResponse contained the threat, found the root cause of the problem, and provided a comprehensive remediation plan, all within 10 days.
Prior to BinaryResponse’s involvement, the county mail server had several vulnerabilities in its security infrastructure, including:
- No enforcement of a strong, complex password policy or an acceptable use policy.
- No use of heightened security within an endpoint detention and response tool.
- No deployment of multi-factor authentication.
BinaryResponse remediation engineers rebuilt the compromised server environment, ultimately restoring all servers and their connection with state-wide resources. This was accomplished by:
- Enumerating the victim environment and deploying sensors for incident handling and monitoring within three hours.
- Rapidly identifying compromised accounts by date(s) and what actions the TA took with each account, coordinating with a breach coach, or data privacy law firm, for reporting.
- Conducting forensic image and log extractions simultaneously with remediation efforts, including patching for Microsoft Cumulative Update 22, resulting in a faster restoration of the client environment and improved data preservation for analysis and reporting.
- Providing recommendations for log availability and retention for regulatory risk compliance and future incident handling based on performed analyses.
- Performing a mail server audit to review outcomes of remediation efforts, which led to wider, proactively focused strategy planning with county stakeholders regarding mitigating the current threat surface.