March 2, 2021 marked the day of the release of a Threat Intelligence report by Microsoft, reporting multiple (!) 0-days exploits abused in the wild, to attack on-premise versions of Microsoft Exchange Servers.
The threat actor, dubbed ‘HAFNIUM‘, abuses multiple vulnerabilities to access on-premise Exchange servers, bypassing authentication mechanisms.
Once access is gained to the on-premise Exchange servers, full contents of user mailboxes can be extracted and exfiltrated outside of the network, as well as the installation of additional malware.
Affected Microsoft Exchange Servers:
Davinsi Labs strongly recommends and urges our customers to update on-premise Exchange servers immediately, to assure the following patch is in place: Security update for Microsoft Exchange Server 2013, 2016 and 2019.
For a head start in the right direction in terms of Threat Detection, take a look at the blogposts of Splunk, Sentinel and Rapid7 to detect adversarial activity related to Hafnium:
Furthermore, Rapid7 is actively covering the 0-day related CVE’s in their Vulnerability & Exploit database.
This tool includes the latest Microsoft Safety Scanner and is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.
Davinsi Labs recommends the usage of this tool to automate remediation in case security patching or mitigation for the on-premises Exchange Servers are ongoing.