Further investigation uncovered that an attacker was exploiting a zero-day and used in the wild. The attacker was using the vulnerability to steal full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication or special knowledge or access to a specific environment.
The only thing the threat actor needs is to know the server running Exchange and the account from which they want to extract email. This vulnerability has been confirmed to exist within the latest version of Exchange 2016 on a fully patched Windows Server 2016 server though vulnerability does not appear to impact Office 365.
Based on signatures and indicators observed, Check Point is making sure its customers are protected against those exploits. In addition, we recommend immediately updating all Microsoft Exchange Servers to the latest patched versions available by Microsoft.
Check Point is closely monitoring the situation and will provide further updates if needed.
How to Detect & Hunt for Vulnerability Exploits
Check Point provides comprehensive security coverage to the vulnerabilities reported by Microsoft with the following Threat Prevention protections:
- CVE-2021-26855 – CPAI-2021-0099
- CVE-2021-26857 – CPAI-2021-0107
- CVE-2021-26858 – CPAI-2021-0107
- CVE-2021-27065 – CPAI-2021-0099
– HAFNIUM.TC. XXX
As part of the broad efforts being done throughout the Check Point Harmony suite of products to ensure customers are fully protected, Check Point Software has immediately updated its endpoint security solution, Harmony Endpoint.
As part of our ongoing service to provide visibility to its customers into the various major global cyberattacks, the solution now has a set of predefined threat hunting queries uncovering indicators and behavior related to this attack.
Threat Hunting is one of the Harmony Endpoint’s key components that provides detailed visibility into infected assets and correlates such activity with the MITRE ATT&CK® Framework. Should the match be found for any of these queries, it should be immediately investigated.
This is the full list of the relevant queries:
– HAFNIUM: Web Shell File Hashes
– HAFNIUM: Abnormal Exchange Server process execution
– HAFNIUM: Credential Dumping using procdump.exe
– HAFNIUM: Credential Dumping utilizing a DLL
– HAFNIUM: Suspicious PowerShell usage
– HAFNIUM: Suspicious script execution utilizing PowerCat
– HAFNIUM: Suspicious Exchange PowerShell Snapin load
– HAFNIUM: Suspicious IPs outbound traffic
– HAFNIUM: Suspicious IPs inbound traffic
– HAFNIUM: Creation of suspicious files by the Exchange Server
– HAFNIUM: Known Web Shell file names
– HAFNIUM: ASPX Web Shell file based indicator
– HAFNIUM: Exfiltration file based indicators
– HAFNIUM: Suspicious AMSI content
Behavior Guard Updates
“Behavioral Guard” – Harmony Endpoint’s behavior protection engine – has also been promptly updated with the relevant signatures which includes post exploitation detection of data collections attempts and credential dumping. These signatures are being automatically updated with all Harmony Endpoint installations to ensure protection for Harmony Endpoint customers.