Microsoft has released security updates on March 2, 2021, for Microsoft Exchange Server to address vulnerabilities that have been used:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
IMPORTANT:
- Coverage previously provided by Extra.DAT for one of the binaries used in this attack is now included in the 4367 V3 DATs (ENS) and the 9915 V2 DATs (VSE).
These DATs were released on March 6, 2021.
- Coverage previously provided by Extra.DAT for the second binary used in this attack is now included in the 4372 V3 DATs (ENS) and the 9920 V2 DATs (VSE).
These DATs were released on March 11, 2021.
- At the time of article publication, McAfee is unable to verify coverage for the remaining hashes released by Microsoft.
- LSASS process dump is detected with current DAT as Lsass-Mdump (Potentially Unwanted Program).
Endpoint Security / VirusScan Enterprise:
Coverage for known malware variants is provided by the DAT content listed above or newer. McAfee recommends scanning with current production DATs.
McAfee recommends performing an On-Demand Scan of Exchange servers after applying the
Microsoft Patch appropriate for the affected OS.
A
targeted On-Demand Scan task can be configured to scan the following
locations:
- C:\Program Files\Microsoft\Exchange Server\
- C:\inetpub\
- C:\users\public\
Note: Directories may not be located on the C:\ drive in all environments.
File types known to be added to these locations are:
Exploit Prevention / HIPS coverage:
CVE-2021-26855 - Out of scope
CVE-2021-26857 - Expected to be covered by signature 6195
CVE-2021-26858 - Under analysis (additional information is needed)
CVE-2021-27065 - Under analysis (additional information is needed)
Network Security Platform:
NSP IPS Signature Set 10.8.19.2, released on March 09, 2021 includes coverage for the vulnerabilities.
Attack Signature |
Attack ID |
HIGH - HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855) |
0x4528a400 |
HIGH - HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26857) |
0x4528a500 |
HIGH - HTTP: Microsoft Exchange Server Arbitrary File Write Vulnerability (CVE-2021-26858) |
0x4528b800 |
HIGH - HTTP: Microsoft Exchange Server Arbitrary File Write Vulnerability (CVE-2021-27065) |
0x4528b700 |
For details, see
KB94291 - REGISTERED - Network Security Signature Sets Release Bulletin (10.8.19.2)
NOTE: This article is viewable only by registered ServicePortal users.
McAfee Insights:
Campaign can be found by searching for:
Exchange Servers targeted with zero-day exploits by the HAFNIUM Threat Group
McAfee EDR:
A real-time search of selected
IoCs can be done with a search as described below:
HostInfo and Files name, full_name, create_user_name, sha1, md5, sha256 where Files sha256 equals "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0" or Files sha256 equals "097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e" or Files sha256 equals "2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1" or Files sha256 equals "65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5" or Files sha256 equals "511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1" or Files sha256 equals "4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea" or Files sha256 equals "811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d" or Files sha256 equals "1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944"