HAFNIUM targeting Exchange Servers with 0-day exploits

Microsoft is urging users of its on-premise Exchange Servers to quickly apply updates to prevent recently discovered 0-day exploits. At least 30,000 organizations across the United States, including a significant number of small businesses, non-profits and local governments, have been breached. On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013-2019 that bad actors were actively using to steal email communications from on-premise internet facing hosts running Exchange. 

Along with patching all on-premise Exchange servers, the CISA (Cybersecurity & Infrastructure Security Agency) and MSRS (Microsoft Security and Response Center) recommend taking steps to assess if your on-premise servers have potentially been exposed to this exploit. Detailed in an Alert posted by the CISA on March 3rd, key markers are left behind by the malicious script that can be used to figure out whether the server has been compromised, including suspicious HTTP POST requests, leveraged IP addresses, and suspicious aspx files. 

It is important to note that upgrading your on-premise Exchange server is not a remediation if you have already been compromised.  Contact Microman today to determine if your Exchange Server is affected by these exploits.  Our team can assist in applying security updates and assessing whether your data has been put at risk. Do not delay in taking immediate action to protect your digital assets.