On March 2nd 2021, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state. According to an alert from the CISA:
“Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.”
CISA issued an emergency directive urging organizations to patch on-premises Exchange Servers while performing associated security scans to see if attackers are in the systems.
What should Sophos customers do?
The Sophos MTR team has published a step-by-step guide on how to search a customer’s network for signs of compromise.
The good news is that Sophos MTR, network, and endpoint customers have multiple protections against the exploitation of the new vulnerabilities.
A Sophos News article has been published which reviews many of these protections:
- Related AV signatures that have blocked HAFNIUM, and advice on what to do if they’ve been triggered
- Queries Sophos EDR customers can run to identify potential web shells for investigation
- IPS signatures for Sophos Firewall customers
Multiple security advisories have already been sent to MTR customers outlining the issue and what the MTR is doing to keep customers protected.
Sophos Managed Threat Response (MTR) and Rapid Response
Organizations have been requesting more info over the past few days about what services Sophos has that can validate their exposure. Sophos MTR Advanced is the ideal solution to stay protected against advanced attacks like HAFNIUM.
Existing MTR customers can rest easy knowing that the MTR was immediately looking for any related activity in their networks.
If a non-MTR customer is seeing signs that they may be experiencing related adversarial activity we recommend they contact the Sophos Rapid Response team immediately.