If you’ve not heard by now and this is your first time hearing it, there’s a 0-day in the wild that has been dubbed “HAFNIUM.” HAFNIUM targets the following Exchange server versions:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Exchange Online is not affected.
The vulnerabilities being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 and further information about the update to resolve these vulnerabilities can be found here: Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center
The Microsoft security support teams have already issued the IOCs, but have also supplied product detections and queries for Azure Sentinel and Defender so SOCs can Hunt in their own environment and raise alerts for remediation.
The following page supplies all the information about this serious issue and also provides links to new Azure Sentinel Analytics Rules and Hunting queries: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
But, for quick turnaround I’ll also expose the links to the collateral here:
Azure Sentinel Detections:
- HAFNIUM Suspicious Exchange Request
- HAFNIUM UM Service writing suspicious file
- HAFNIUM New UM Service Child Process
- HAFNIUM Suspicious UM Service Errors
- HAFNIUM Suspicious File Downloads **
**One quick caveat with that last one (Suspicious File Downloads)…This query uses the Exchange HttpProxy AOBGeneratorLog. You will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
- Azure-Sentinel/ExchangePowerShellSnapin.yaml at master · Azure/Azure-Sentinel (github.com)
- Azure-Sentinel/Invoke-PowerShellTcpOneLine.yaml at master · Azure/Azure-Sentinel (github.com)
- Azure-Sentinel/PowerCatDownload.yaml at master · Azure/Azure-Sentinel (github.com)
If you’re running Exchange on-premises, now is the time to patch. Don’t wait.