[ SB 21.07 ] Emergency-Patches for MS Exchange / HAFNIUM targeting Exchange Servers with 0-day exploits ( CVE-2021-26855 )

Updates/Timeline

  • 2021-03-[03-09] IOC and DFIR - Links added below
  • 2021-03-11 - PoC released
  • 2021-03-14 - multiple working PoCs circulating
  • 2021-03-23 - ransomware-gangs starting to use the vuln for attacks

Today Microsoft released a blogpost detailing an exploit-campaign by the group HAFNIUM, targeting and exploiting Exchange-Servers with 0-Day-Exploits.

Microsoft releases emergency-patches for mentioned 0days as well for affected Exchange-Servers:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

A more C-level-Blogpost: New nation-state cyberattacks was released by MS as well.

We urge our customers to update affected Exchange-Installations ASAP, since PoCs and massexploitation is to be expected within days.

If you have patched, confirm the patch with a vulnscan (see reasons below)


Since 2021-03-02 public exploits are floating around, every instance not patched before this date should be assumed compromised. Thera are also reports of mass-scanning dating back to 2021-02-26

ATTENTION: if you operate in a field that is susceptible to state-actor-attacks, CISA released an Alert, stating that scans and exploitation dates back as Sep 2020:

CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020.

mass-exploit early


mass-exploit early


mass-exploit early


mass-exploit early


poc-email


Since 2021-03-21 Ransomware-Gangs are actively using the vuln to attack companies.

According to a client affected by the incident, the events that led to the successfull attack took place in the following timeline

  • 2021-03-05 Webshell ChinaChopper deployed
  • 2021-03-09 System been seen in a Vulnscan, ignored
  • 2021-03-12 System patched
  • 2021-03-20 BK access the system for the first time via webshell
  • 2021-03-23 Exchange and AD encrypted

rnsm-attack

References

Timeline

All Things Updates

IOCs

DFIR & PoC





Fragen? Kontakt: info@zero.bs

taggy