Following Microsoft’s news about Hafnium, Sophos has been closely monitoring the issue and is providing regular advice on how organizations should threat hunt and mitigate the attack/potential attack.
According to Mat Gangwer, Senior Director, Sophos Managed Threat Response, these vulnerabilities are significant and need to be taken seriously. They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet means that many organizations running an on-premises Exchange server could be at risk.
Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells. This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present.
Organizations running an on-premises Exchange server should assume they are impacted, and first and foremost patch their Exchange devices and confirm the updates have been successful. However, simply applying patches won’t remove artifacts from your network that pre-date the patch. Organizations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralize the attack and remove the adversary from their networks.
Organizations should review the server logs for signs that an attacker may have exploited their Exchange server. Many of the current known indicators of compromise are web shell-based, so there will be file remnants left in the Exchange server. An overview of files and any modifications to them is therefore important. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution.
If you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next. You need to understand how long or impactful this activity may have been. What is the gap between appearance of the web shell or other artifacts in your network and the moment of patching or discovery? This is often a good time to ask for external support if you’re not sure what to do. Third-party forensic and incident response can be vital at this stage, providing experienced threat hunting and human intelligence that can dive deep into your network and find the attackers.
“The Sophos Managed Threat Response team is actively hunting and investigating customer environments to see if we can uncover new artefacts or indicators of compromise that can be used to boost detection and defense against this threat. Our 24/7 incident response team is already supporting organizations that believe they may have been attacked and this will also help us to gather more intelligence about this threat and how to protect against it.” Says Gangwer.
Sophos has released detections to the known IoCs and post-exploitation tools used.