6 Route 173, Clinton, NJ 08809

How to Handle MS Exchange HAFNIUM Zero-Day

March 16, 2021

By Steve Scarola, Security Practice Lead

As we have all heard, Microsoft recently disclosed multiple vulnerabilities in their Exchange 2010-2019 products. Understanding whether you are (or were) compromised is your first priority, along with mitigating those open vulnerabilities as quickly as possible.

To mitigate any current issues, take the time to look at your exchange infrastructure and determine if basic IOC’s (Indicators of Compromise) are present. Look for simple things that have already been identified as indicators in your environment to quickly discover if you are affected.

  • On your Exchange Server:
    • “C:\root”, “C:\ProgramData\ssh”
    • Strange directories in “C:\windows\temp”, containing reports, and Exchange specific data files
    • Run the MSERT Vulnerability Checker which can detect malicious web shells

The following link will provide you with a feed from Microsoft of malware hashes and known malicious file paths observed in related attacks in both JSON and CSV formats.

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

CPP has already seen instances where customers have been compromised, in some cases beginning late last year. Installing patches and monitoring your infrastructure and file systems for anomalous activity is paramount. If you are not in a position to take advantage of the tools required to monitor for this type of activity, consider migrating to Office365 which is generally less susceptible to these type of attacks.

If you are unsure if you have been affected, need assistance updating you current environment, or would like to have a discussion about migrating to Office365, please contact CPP and we will be happy to discuss next steps with you.