The Situation
On 2 March 2021, Microsoft released several security updates for Microsoft Exchange Server 2013, 2016 and 2019 to address vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that have been used in limited targeted attacks. These vulnerabilities can allow an attacker to gain unauthorised access to mailboxes and perform remote code execution.
Microsoft has detected multiple Zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actors exploited these vulnerabilities to access Exchange Server and install additional malware to facilitate long-term access to victim environments. Webshell was used as a technique to escalate and maintain persistent access on an already compromised exchange server. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, based on observed victimology, tactics and procedures. On 4 March and 5 March 2021, Microsoft provided more resources to help customers investigate and identify threats coming from HAFNIUM through indicators of compromise provided in the links below:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
Ensign Posture & Monitoring
Ensign has performed rounds of checks to confirm that the flaw does not affect our infrastructure.
Ensign has also stepped up monitoring operations, and will advise clients of any anomalies detected from the monitored event logs.
Our Recommendations
Ensign will continue to provide updates on the incident, and inform you of additional recommendations. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at marketing@ensigninfosecurity.com;for more information.
References:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/