HAFNIUM Exchange Zero-Day Scanning
This post was last updated on August 10th, 2021 at 05:54 pm
The Microsoft Exchange Zero-day exploit drop this week is a big one with far reaching implications for organizations in 2021. Infocyte recommends the following actions organizations need to take when these exploits are being used in the wild:
1. Take inventory
- Do you host an on-prem exchange server?
- Is the exchange server vulnerable? The answer is ‘most likely’ unless you applied the latest out-of-band patches released on 2 March 2021.
2. Apply patches
- Make sure those patches are applied since active exploitation is bound to find you soon if it hasn’t already.
3. Scan your exchange server for malicious WebShells
- Even after you patch, it’s important to verify if the vulnerability was exploited. FireEye reported seeing usage of these exploits as early as January 2021.
- Infocyte just published a scanner that consolidates the signatures and log pull recommendations from multiple threat intel sources and security reports. (Special thanks to Volexity and Microsoft for their timely reports.)
- Infocyte users can download our Exchange WebShell scanner extension here:
4. Monitor for malicious activity on your exchange servers or endpoints
- If you have endpoint monitoring, look for suspicious PowerShell activity on that exchange server, PowerShell being launched from your web server applications, procdump.exe against LSASS, etc.
- This post-exploit activity is important to monitor. One of our customers was exploited by this attacker, but due to having PowerShell disabled on the server by policy, the malicious WebShell was there but no follow-on post-exploit activity was observed to be successful.
Get to patching and then get to hunting!