Jump to content

Exchange vulnerability and ESET Detections


Recommended Posts

Hi Dears,

As You know in this week we have this vulnerability :

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

and ESET did not detect IOC :

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

For Example this one special :

https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection

 

What is ESET reaction about this kind of hack ?

is there any IDS detection included these days or not ? And we think that ESET must Detect Mentioned IOC.

Best Regards.

 

Link to comment
Share on other sites

  • Administrators

You have received a response from samples[at]eset.com. We don't have most of the files with the listed hashes so we can't tell if they are detected or not or if particular files are subject to detection at all.

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 will be detected as ASP/SecChecker.A.

Link to comment
Share on other sites

Eset is well aware of this situation as noted by their blog posting on it: https://www.welivesecurity.com/2021/03/04/microsoft-fixes-four-exchange-server-zero-day-vulnerabilities/ .

The problem here is the Hafnium APT group whose exploiting is detailed in the Microsoft article you linked is only one of multiple ATP actors exploiting this vulnerability. You need to patch your Exchange servers ASAP.

Ref.: https://www.bleepingcomputer.com/news/security/dhs-orders-agencies-to-urgently-patch-or-disconnect-exchange-servers/

-EDIT- Also of note is:

Quote

Active exploitation of these Microsoft Exchange zero-days began "as early as January 6, 2021," as incident response firm Volexity revealed.

The Volexity article has a number of Indicators of Compromise methods that can be utilized.

Edited by itman
Link to comment
Share on other sites

Also of note:

Quote

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.

Quote

But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by those security updates.

“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.

https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

Edited by itman
Link to comment
Share on other sites

  • 2 weeks later...

Have ESET seen any signs of exploiting this vulnerability to use the exchange edge servers as jump hosts to reach O365?

Link to comment
Share on other sites

I haven't seen anything published yet in this regard.

However in the past, one .dll involved in the current Exchange server vulnerability, OWAAUTH.dll, has been exploited in the past in this regard: https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/ .

Link to comment
Share on other sites

Does ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange?

https://support.eset.com/en/kb7855-does-eset-protect-me-from-hafnium

 

Exchange servers under siege from at least 10 APT groups

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...