Microsoft’s free safety scanner has been updated to look for common webshells injected by Hafnium – Microsoft Safety Scanner.Microsoft has a script that will examine Exchange logs for malicious requests – Microsoft GitHub.Systems should be inspected for any indicators of compromise (IOCs).Any Exchange servers should be patched immediately – Microsoft Instructions for Patching.Many estimates now sit at over 100,000 affected organizations worldwide and climbing.Īny Exchange server accessible via HTTPS has a moderate chance of having exposed all user and administrative AD credentials and may be acting as an entry point to utilize those credentials within the network.
Once the patches for these vulnerabilities were released, several security organizations noticed an uptick in Hafnium’s activity (likely to compromise more systems before organizations could apply the patches). FireEye’s Mandiant security services identified anomalous behavior relating to these exploits as far back as early January ( Mandiant Blog). They also announced a group dubbed “Hafnium” had been detected exploiting these vulnerabilities to access credentials used on the affected Exchange server and install secondary entry points for access in the event the vulnerability was patched. On March 2nd Microsoft announced 4 previously unknown zero-day vulnerabilities in all current versions of Exchange server along with patches to fix these vulnerabilities ( MS Blog).
0 kommentar(er)
