***SOC ADVISORY*** MICROSOFT EXCHANGE ZERO-DAY EXPLOIT / HAFNIUM ATTACK
Incident Report for CyFlare
Resolved
We have completed initial investigations regarding this event. We will continue to monitor for the related IOC's to this event. Please feel free to reach out to your SOC if you require further assistance.
Posted Mar 16, 2021 - 14:23 EDT
Monitoring
To our valued subscribers:

Over the last week a critical, zero-day, Microsoft Exchange vulnerability against versions 2013, 2016, and 2019 has been published that allows attackers to access your network without having to authenticate utilizing remote access through port 443. Please rest assured in knowing that your SOC has taken this event seriously and have made it a priority.

We have enhanced our training around the various threat vectors associated to the HAFNIUM Attack.

What we know:

• An attacker can gain access to your network without credentials for authentication and create web shell scripts to allow persistence and privilege escalations.
• Should these attackers gain access, per Microsoft, additional activities include:
o Credential theft via dumping of LSASS process memory.
o Compression of data for exfiltration via 7-Zip.
o Use of Exchange PowerShell Snap-ins to export mailbox data.
o Use of additional offensive security tools Covenant, Nishang, and PowerCat for remote access.

Microsoft Article: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Some of the known Indicators of Compromise (IOCs) are as follows:

o Help.aspx(MD5 Hash: 4b3039cf227c611c45d2242d1228a121)
o Iisstart.aspx(MD5 Hash: 0fd9bffa49c76ee12e51e3b8ae0609ac)
o W3wp.exe(IIS process with front end exchange server) which spawns cmd.exe to write files
o BEACON MD5 Hash: 79eb217578bed4c250803bd573b10151
o 165.232.154.116
o 182.18.152.105
o 89.34.111.11
o 86.105.18.116

What do you need to do if you believe you may be affected by this attack:

The following vulnerabilities MUST be patched on your ON-PREM Exchange Servers IMMEDIATELY:

o CVE-2021-26855
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
o CVE-2021-26857
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
o CVE-2021-26858
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
o CVE-2021-27065
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
• Restrict untrusted connections to Port 443.
• Respond to tickets from your SOC that may indicate any of the above Indicators of Compromise to initiate additional investigation and escalation.

Vendor Communications:

Sentinel One: https://www.sentinelone.com/blog/sentinelone-and-hafnium-microsoft-exchange-0-days/
CyFlare BDS: https://desk.cyflare.cloud/portal/en/kb/articles/microsoft-e
Sophos: https://news.sophos.com/en-us/2021/03/08/protecting-sophos-customers-from-hafnium/

We will continue to update based on documentations provided by our preferred vendors.

What CyFlare is doing:

Advanced Threat Hunting:

• CyFlare has been working diligently to enhance detections around the above IOC’s.
• Incident Investigation being performed for customers who suspect they may have been compromised.
• Pre-emptive investigation for credential dumps, powershell execution, etc.
• Recommendations being provided to remediate if IOC’s are found.
• CYFLARE performs advanced threat hunting utilizing deep visibility logs that may contain possible exploitation related attempts for any trojans and other real time IOCs triggered.
• We will continue to update our customers as we navigate this event

Please Reach out to your SOC at socir@cyflare.com if you believe you may have been affected or would like investigation.
Posted Mar 11, 2021 - 12:03 EST
This incident affected: Breach Detection Service.