It was recently disclosed that Microsoft Exchange offerings were severely compromised in nation-state sponsored operations by the threat group known as HAFNIUM. This incident has potentially affected tens-of-thousands of public and private organizations across the globe.
The Cybereason Incident Response Team continues to investigate the evolving HAFNIUM-related threats in order to further protect our customers against a growing number of adversaries reported to be actively targeting still-vulnerable as well as patched, but not yet fully remediated, Microsoft Exchange servers.
Here’s what you need to know about the most recent developments in the HAFNIUM attacks and how Cybereason is continuing to protect our family of defenders:
HAFNIUM Attack Background
On March 2, Microsoft warned of nation-state cyber attacks exploiting four vulnerabilities in its Exchange Server software to target U.S. organizations. The tech firm attributed the attacks to HAFNIUM, a “highly skilled and sophisticated actor” based in China.
These are effectively ProxyLogon attacks that started with HAFNIUM exploiting the above-mentioned Exchange vulnerabilities or leveraging stolen account credentials to gain access to an organization’s Exchange Server. The threat actors then established a webshell for the purpose of controlling the Exchange Server remotely. Finally, the attackers remotely exfiltrated sensitive information from targeted organizations’ networks.
Three days after Microsoft’s announcement, KrebsOnSecurity reported that HAFNIUM had taken advantage of the security flaws to compromise tens of thousands of organizations based in the United States alone. Per Reuters reporting, it was the same story for tens of thousands of other organizations in Asia and Europe, including Norway’s parliament, Europe’s banking authority and the Spanish government.
Microsoft urged customers to use this script to scan for HAFNIUM’s Indicators of Compromise (IOCs) and to use these security updates to patch their affected systems. It quickly became apparent to tens of thousand of impacted organizations that patching alone would not be enough to protect systems from further intrusions.
It was subsequently reported that an array of other threat actors are now leveraging residual webshells from the original HAFNIUM attacks to launch new attacks aimed at compromising email servers around the world, including attacks spreading the DearCry Ransomware.
Cybereason is Dedicated to Defending Our Customers
Cybereason puts the security of our customers first, and all of our customers were protected from the initial HAFNIUM attacks and continue to be protected from subsequent attacks by other threat actors.
The Cybereason Defense Platform provides multi-layer protection against threats like HAFNIUM. Cybereason EDR and XDR detect the post-exploitation techniques including the use of PowerCat, lsass process dumping, and the Nishang Invoke-PowershellTcpOneLine reverse shell.
In addition, the Cybereason NGAV stack prevents the execution of malware payloads and credential theft attempts at later stages of the HAFNIUM actor’s attack, as well as the most recent attacks from other threat actors leveraging the DearCry Ransomware.
If your organization is being impacted by these recent attacks, or if you have concerns about the potential your organization has been compromised, contact us immediately for containment by our expert Incident Response team.
We can also help your security team hunt for and eliminate unidentified threats through a custom Compromise Assessment. Cybereason can also work with your team to accelerate your security operations through our Managed Detection and Response services to keep your organization protected from potential compromise.
Contact a Cybereason defender today to learn how your organization can experience the deep context and correlations delivered by the Cybereason Malop to achieve an operation-centric approach and a future-ready security posture. Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Cybereason Security Team. Read the original post at: https://www.cybereason.com/blog/hafnium-response-cybereason