The scope and impact of the recent HAFNIUM attack on on-premises Exchange servers continue to grow. Below are a few important updates.
CISA Released New Malware Analysis Reports
CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
Microsoft One-Click Mitigation Tool
Microsoft has released a one-click mitigation tool. It's important to note however that Microsoft points out that "This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance."
Applying Security Update
According to the Microsoft Response Center, the only complete method for mitigating the known vulnerabilities is to apply the security updates.
It's critical however to pay attention to the known issues listed with the security updates. The first issue is "When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated. When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed."
The security update must be run from a command prompt using Run as administrator for elevated permissions. Organizations who did not apply the security update from a command prompt with elevated permissions should immediately reapply the security update.
Microsoft Safety Scanner
A step in the one-click mitigation tool is to run the Microsoft Safety Scanner. As a precautionary step, organizations that previously patched their Exchange server(s) should consider running the most recent version of the Microsoft Safety Scanner or perform a complete scan with their existing anti-virus/anti-malware software to ensure any malware from a past compromise has been removed.
p.s. IntegraONE Incident Response Event
IntegraONE is hosting an Incident Response event at the Tech Data Cyber Range on April 29. Find details and register here: https://info.integraone.com/ir-choose-your-own-adventure.
Scott is Technical Communications Coordinator at IntegraONE and is tasked with helping inform and educate our customers regarding technologies, products and support-related issues. Scott has been in the IT industry for longer than he would like to admit, having held both individual contributor and managements roles in software development, technical marketing, systems management, project management and service delivery.