kamiran.asia 5 Posted March 5, 2021 Share Posted March 5, 2021 Hi Dears, As You know in this week we have this vulnerability : https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ and ESET did not detect IOC : b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 For Example this one special : https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection What is ESET reaction about this kind of hack ? is there any IDS detection included these days or not ? And we think that ESET must Detect Mentioned IOC. Best Regards. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted March 5, 2021 Administrators Share Posted March 5, 2021 You have received a response from samples[at]eset.com. We don't have most of the files with the listed hashes so we can't tell if they are detected or not or if particular files are subject to detection at all. b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 will be detected as ASP/SecChecker.A. Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 5, 2021 Share Posted March 5, 2021 (edited) Eset is well aware of this situation as noted by their blog posting on it: https://www.welivesecurity.com/2021/03/04/microsoft-fixes-four-exchange-server-zero-day-vulnerabilities/ . The problem here is the Hafnium APT group whose exploiting is detailed in the Microsoft article you linked is only one of multiple ATP actors exploiting this vulnerability. You need to patch your Exchange servers ASAP. Ref.: https://www.bleepingcomputer.com/news/security/dhs-orders-agencies-to-urgently-patch-or-disconnect-exchange-servers/ -EDIT- Also of note is: Quote Active exploitation of these Microsoft Exchange zero-days began "as early as January 6, 2021," as incident response firm Volexity revealed. The Volexity article has a number of Indicators of Compromise methods that can be utilized. Edited March 5, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 5, 2021 Share Posted March 5, 2021 Additionally forensic analysis recommendations plus mitigations given in this article: https://us-cert.cisa.gov/ncas/alerts/aa21-062a Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 6, 2021 Share Posted March 6, 2021 (edited) Also of note: Quote At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. Quote But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by those security updates. “We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.” https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/ Edited March 6, 2021 by itman Link to comment Share on other sites More sharing options...
gknui 0 Posted March 15, 2021 Share Posted March 15, 2021 Have ESET seen any signs of exploiting this vulnerability to use the exchange edge servers as jump hosts to reach O365? Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 15, 2021 Share Posted March 15, 2021 I haven't seen anything published yet in this regard. However in the past, one .dll involved in the current Exchange server vulnerability, OWAAUTH.dll, has been exploited in the past in this regard: https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/ . Link to comment Share on other sites More sharing options...
kamiran.asia 5 Posted March 16, 2021 Author Share Posted March 16, 2021 Does ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange? https://support.eset.com/en/kb7855-does-eset-protect-me-from-hafnium Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ Link to comment Share on other sites More sharing options...
kamiran.asia 5 Posted March 16, 2021 Author Share Posted March 16, 2021 As our research till march 9 some web-shells just detect by 4 AV vendors : https://www.site-shot.com/sGwBrIESEeu_JQJCrBEABQ ESET 👌 Link to comment Share on other sites More sharing options...
Recommended Posts