The Microsoft Exchange Zero-day exploit drop this week is a big one for 2021. The actions everyone needs to take when these exploits are being used in the wild is:
1. Take inventory
- Do you host an on-prem exchange server?
- Is the exchange server vulnerable? Most likely unless you applied the latest out-of-band patches released on 2 March 2021.
2. Apply Patches
- Make sure those patches are applied as active exploitation is bound to find you soon if it hasn’t already.
3. Scan your exchange server for malicious webshells
- Even after you patch, it’s important to verify if the vulnerability was exploited. Fireeye reported seeing usage of these exploits as early as January 2021.
- Infocyte just published a scanner that consolidates the signatures and log pull recommendations from multiple threat intel sources and security reports. (Special thanks to Volexity and Microsoft for their timely reports)
- Infocyte users can download our Exchange webshell scanner extension here:
4. Monitor for evil activity on your exchange servers or endpoints
- If you have endpoint monitoring, look for suspicious powershell activity on that exchange server, powershell being launched from your web server applications, procdump.exe against LSASS, etc.
- This post-exploit activity is important to look for. One of our customers was exploited by this attacker but due to having powershell disabled on the server by policy, the malicious webshell was there but no follow-on post exploit activity was observed to be successful.
Get to patching and then get to hunting!
*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at: https://www.infocyte.com/blog/2021/03/05/hafnium-exchange-zero-day-scanning/