Following reports by Microsoft that it detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks, Sophos, a global leader in IT security has given an advisory to organisations on proactive measures to take.
In the attacks observed, Microsoft said that the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server.
“We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected”.
Following this Microsoft’s news about Hafnium, Sophos said it has been closely monitoring the issue and is providing regular advice on how organizations should threat hunt and mitigate the attack/potential attack.
Commenting on this, a Senior Director, Sophos Managed Threat Response, Mat Gangwer, said:
“These vulnerabilities are significant and need to be taken seriously. They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet means that many organizations running an on-premises Exchange server could be at risk.
Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells. This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present.
“Organizations running an on-premises Exchange server should assume they are impacted, and first and foremost patch their Exchange devices and confirm the updates have been successful. However, simply applying patches won’t remove artifacts from your network that pre-date the patch.
“Organizations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralize the attack and remove the adversary from their networks.
“Organizations should review the server logs for signs that an attacker may have exploited their Exchange server”.
Gangwer added that many of the current known indicators of compromise are web shell-based, so there will be file remnants left in the Exchange server.
“An overview of files and any modifications to them is therefore important. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution.
“If you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next. You need to understand how long or impactful this activity may have been. What is the gap between appearance of the web shell or other artifacts in your network and the moment of patching or discovery?
“This is often a good time to ask for external support if you’re not sure what to do. Third-party forensic and incident response can be vital at this stage, providing experienced threat hunting and human intelligence that can dive deep into your network and find the attackers.
“The Sophos Managed Threat Response team is actively hunting and investigating customer environments to see if we can uncover new artefacts or indicators of compromise that can be used to boost detection and defense against this threat”.
Gangwer explained that Sophos 24/7 incident response team is already supporting organizations that believe they may have been attacked and this will also help us to gather more intelligence about this threat and how to protect against it.”
TechEcoomy.ng gathered that Sophos has released detections to the known IoCs and post-exploitation tools used.