Microsoft in early March disclosed that the state-sponsored threat actor, HAFNIUM was utilizing patch vulnerabilities in its on-premise Exchange servers to compromise email accounts. With victims across the world, and within a number of days, malicious actors beyond HAFNIUM began targeting these unpatched systems, installing additional malware to ensure long-term access to victim environments.
BlackBerry’s Threat Research Team has analyzed the cyber-attack chain and strongly urges customers to follow Microsoft’s advice and update on-premise systems immediately to reduce the risk of potentially affected systems. We also recommend customers download and enable the custom Win Procdump Lsass CredTheft Mitre rule.
BlackBerry also authored a custom rule to identify and mitigate against the techniques utilized by the HAFNIUM group. BlackBerry MSSP Partners can download the new rule here.
The good news? BlackBerry Protect and BlackBerry Optics stop these attacks.
Our customers can feel confident that our AI-driven security products, as well as our Managed Detection & Response (MDR) solution are all well-equipped to mitigate the risks posed by threat actors leveraging patch vulnerabilities.
BlackBerry Protect, our endpoint protection solution can help shield customers from the HAFNIUM attack. BlackBerry Protect’s PowerShell Script Control will stop commands associated with the exploit. Memory Protection will prevent the dumping of LSASS memory by terminating the tool used in the attack before completion of the memory extraction.
BlackBerry Optics, our endpoint detection and response (EDR) solution can also help mitigate against the attack. BlackBerry recommends the following official Optics rules be activated:
The BlackBerry Incident Response team can work with organizations, of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form which is monitored around the clock.