HAFNIUM Exchange Zero-Day Scanning

This post was last updated on March 26th, 2021 at 11:15 am

The Microsoft Exchange Zero-day exploit drop this week is a big one with far reaching implications for organizations in 2021. Infocyte recommends the following actions organizations need to take when these exploits are being used in the wild:

1. Take inventory

  • Do you host an on-prem exchange server?
  • Is the exchange server vulnerable? The answer is ‘most likely’ unless you applied the latest out-of-band patches released on 2 March 2021.

2. Apply patches

  • Make sure those patches are applied since active exploitation is bound to find you soon if it hasn’t already.

3. Scan your exchange server for malicious WebShells

4. Monitor for malicious activity on your exchange servers or endpoints

  • If you have endpoint monitoring, look for suspicious PowerShell activity on that exchange server, PowerShell being launched from your web server applications, procdump.exe against LSASS, etc.
  • This post-exploit activity is important to monitor. One of our customers was exploited by this attacker, but due to having PowerShell disabled on the server by policy, the malicious WebShell was there but no follow-on post-exploit activity was observed to be successful.

Get to patching and then get to hunting!

Infocyte Team

Posted in