Sophos: Hafnium ALERT: Recommendations to remediate Exchange Server vulnerability
On March 2nd, zero-day vulnerabilities affecting on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 were publicly disclosed. These vulnerabilities are being actively exploited in the wild by Hafnium and other threat actors. Sophos strongly recommends you take this threat seriously and act immediately, if you have not already done so. Whether that is educating your customers using the links below, or taking action if you manage their infrastructure. Sophos is regularly updating the Hafnium articles with the latest information and detections. • HAFNIUM: Advice about the new nation-state attack • Protecting Sophos Customers from Hafnium • Serious Security: Webshells explained in the aftermath of HAFNIUM attacks • Naked Security Podcast S3 Ep23: Hafnium happenings, I see you, and Pythonic poison Actions to take if you manage customer infrastructure Security best practices state you should assume your customers are impacted and act accordingly. At a minimum you should: • Backup Exchange/IIS Server logs then patch all Exchange servers ο Patching only ensures that your customer cannot be breached again. If they have already been breached, they will continue to be vulnerable even after patching • If your customer has a Sophos EDR product, perform a threat hunt by running queries to determine the possible exposure • Remove web shells and change passwords on all Exchange Servers • Ensure endpoint protection is deployed on all endpoints and servers The Sophos Managed Threat Response (MTR) team has published detailed guidance on how to respond to Hafnium. If you or your customers need expert assistance to determine exposure or remediate the situation, there are services available to help: • Managed Threat Response (MTR) – a managed security service that can perform threat hunting to identify adversarial activity in your environment and neutralize the situation • Rapid Response (RR) – If you have identified an active attack in your environment and need immediate assistance to neutralize the attack, this service is available |
