On March 2, Microsoft announced that its on-premises Exchange Server had experienced multiple 0-day exploits.
Microsoft commented: “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
In the attacks observed, the threat actor used these vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.
These vulnerabilities are addressed in the following Microsoft Security Response Center (MSRC) releases – Multiple Security Updates Released for Exchange Server and Guidance for Responders: Investigating and Remediating on-premises Exchange Server vulnerabilities. Microsoft strongly urges customers to update on-premises systems immediately.
Microsoft has declared that Exchange Online is not affected.
The OpenText™ Security Detection Engineering Team is closely monitoring the situation and developing tools to help customers mitigate potential risk from this cyberattack. The newly released detection rules for OpenText™ EnCase™ Endpoint Security CE 20.4 and CE 21.1 updates the product’s software detection rules with known indicators of compromise related to HAFNIUM.
OpenText recommends that customers update their on-premises systems immediately by taking the following steps:
Download and run the Microsoft Safety Scanner to find and remove planted webshells. Continue to monitor for webshell creations using the Endpoint Security filters released and linked below.
Apply any anomaly detection filters or advanced indicators of compromise (IoC) filters, released by OpenText, to search historical telemetry and behavioral indicators.
Conduct a threat hunt on your environment, and if evidence of this attack is found, conduct the following and digital forensics and incident response (DFIR) activities on the environment:
- Immediately collect memory from devices for deeper analysis, looking to ensure threat actors did not gain escalated access to any potentially compromised systems.
- Conduct an audit of the Active Directory to ensure no additional users were created during the breach.
- Compose a timeline of the incident and look for potential lateral movement.
- Validate webshells have been removed and remediate and any other malware found.
- Identify all exfiltrated data from the company.
For assistance with identifying and addressing risks in your environment, contact the OpenText Security Services team.