In early March, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities were actively exploited in the wild by Hafnium, a threat actor believed to be a nation state. According to an alert from the CISA:
“Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.”
CISA issued an emergency directive urging organizations to patch on-premises Exchange Servers while performing associated security scans to see if attackers are in the systems. Unfortunately, many organizations have still neglected to patch their systems and as a result, other cybercriminals have since taken advantage of vulnerable Exchange servers to launch attacks such as DearCry and Black Kingdom ransomware, as well as using the compromised servers for cryptomining.
Tips for Partners to Protect their Customers
First and foremost, partners and MSPs can and should play a key role in making sure customers are patching all on-premise Microsoft Exchanged servers in their environments with the relevant security update. Details can be found on Microsoft’s Exchange Team blog. However, it is important to note that even with the patches installed, this will not address the presence of any malicious web shells.
If a customer believes their organizations has been exposed, MSPs should consult the Sophos MTR team’s step-by-step guide on how to search a customer’s network for signs of compromise. After patching or disabling servers that could potentially be exploited, Sophos recommends:
- Determining possible exposure Download and run the Test-ProxyLogon.ps1 script provided by the Microsoft Customer Support Services team
- Looking for web shells or other suspicious .aspx files
- Using a query to identify potential web shells to investigate, check patch level of your servers, and look for suspicious commands
- Establishing impact by Review process activity and command executions from the time the web shell was created, onwards
The Role of Threat Hunting with Zero-Day Vulnerabilities
Threats such as Hafnium are a great example of a situation where having an elite team of threat hunters and response experts to back your organization can offer peace of mind. When the Hafnium news first broke, the Sophos Managed Threat Response (MTR) team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. Additionally, it looked to uncover any new artifacts or IoCs related to the attack that could provide further protection for all Sophos customers, and has been tracking all new threats closely since.
The 24/7 nature of Sophos MTR meant that not a single second was wasted before the team got to work, ensuring our customers were protected. If a non-MTR customer is seeing signs that they may be experiencing related adversarial activity, Sophos recommends they contact the Sophos Rapid Response team immediately.