A couple of months have passed since the zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are still being actively exploited in the wild by HAFNIUM, believed to be a nation state-funded threat actor.
The cybersecurity industry is fairly confident that the HAFNIUM group were carrying out a very targeted attack against US government targets, and were specifically interested in stealing data. As is typically the way in cyber, however, several gangs have wanted to get in on the action, and are using similar techniques to HAFNIUM to drop ransomware payloads.
Even if they’ve patched, your customers need to assume they’ve been breached – it’s thought this zero-day exploit was out there being exploited for some months (if not longer) before the public disclosure and patches were made available.
Following the Sophos guidance, there are detailed examples of SQL search queries that can be used with our Intercept X with EDR platform. These can be run to hunt for indicators of compromise (IoCs) related to the attack – e.g. looking for Web Shells used by malicious actors for persistence and to move laterally within affected environments. Note: customers that have up until now only been using Intercept X can enable a 30 day trial for CIXAEDR, and the journal history required to carry out these threat searches will already exist on their machines.
The guidance and recommendations from Sophos are very clear – PATCH! This should be the number one priority. Using tools such as Shodan, it’s likely there are still thousands of unpatched Exchange systems in the wild, vulnerable to attack. This brings me to how I believe we can simplify the topic of cybersecurity and how businesses need to do a better job of keeping themselves safe from evolving threats like this.
When having conversations with a customer or a prospect, ask them which of these broad buckets they fall into:
- The customer has a security operations centre (SOC) with a team of skilled cyber analysts and threat hunters, who are constantly monitoring their environment for threats and can respond (night or day) to any cyber events.
- The customer has an IT team who play an active role in cyber, but ultimately have a relationship with an MSSP who manages much of the day-to-day challenges of security. In the case of an attack, the MSSP would stand up and the Incident Response team to help them identify, respond to threat.
- The customer doesn’t have the budget, skills or appetite to build their own SOC, and so they outsource all of their cyber risk to a Managed Threat Response service to someone like Sophos.
This as I say is a very simplistic approach, and there are undoubtedly various nuances around these scenarios. The talk-track up until now has often been around what the customer has budgeted for when it comes to their cybersecurity approach – this has to change. We need to explore what the customer needs (which bucket they sit in) and then explore what the cost might be to the organisation if they don’t protect themselves appropriately.
One thing is for sure – a customer who doesn’t pay for a managed threat response service right now is generally going to be startled by the cost, but if that’s what they need to protect their organisation, then you can bet it will be cheaper than the impact on their organisation if they’re unable to work for days/weeks due to a ransomware attack.
Since HAFNIUM there have been further Exchange vulnerabilities disclosed. I think it’s fair to say we can expect to see customers moving their email to an IaaS model. If you’re helping a customer achieve this, don’t forget to position Sophos Central Email as an enhanced email security offering. If they’re going to be consuming the Public Cloud, let’s take the opportunity to talk to customers about Cloud Security Posture Management (CSPM), and ensuring that they remain compliant and are following best practices in Azure / AWS / GCP.
Remember Hafnium? Here’s the bad news – it’s not over yet! Learn why and what to do… nakedsecurity.sophos.com