Recently, several major vulnerabilities were discovered in Microsoft’s Exchange environment.
This ongoing campaign has been named Hafnium by threat researchers. According to various sources, these vulnerabilities have been actively exploited by threat actors since early January.
At Blue Bastion, our team is actively assisting clients in mitigating these threats and, if necessary, conducting a more in-depth investigation to ascertain if any compromise was successful against their environments.
Next Steps & Recommendations
Blue Bastion recommends that, as an immediate first step, all Microsoft updates and patches be applied to existing Exchange environments. You should complete this task even before any investigation takes place due to the severity of the threat.
The threat actors are utilizing three different vulnerabilities to both install web shells on Exchange servers and perform various hostile actions. The updates to the Exchange Servers can be found on the Microsoft website.
If you would like help installing these patches, or you’d prefer that Ideal Integrations install these patches for you, please contact the Network Operations Center (NOC) via email at firstname.lastname@example.org, or by phone at 412-349-6678
Once these updates have been completed, we’ll provide any further assistance in investigating whether or not your systems were breached. Additionally, we’ll identify any possible data exfiltration or ongoing threats to your environment.
Instructions for Current Customers
For our current clients, our cyber security team has been actively researching this ongoing threat scenario.
We’re currently developing indicators of compromise (IOC) to use with our existing toolset. Our analysts are proactively conducting threat hunts across all our customers environment for these indicators compromise.
These range from IP addresses, file hashes and file modification information. All our toolsets have been updated with the IOCs and we will continue to monitor and investigate any alerts related to these IOCs.
Please contact us if you have any questions or need assistance. Stay vigilant, and remember that we’re here to protect your environment, 24/7/365!