During the last month, reports of cyberattacks targeting vulnerabilities affecting Microsoft Exchange servers have continued to make headlines. It all started when the CISA issued an alert that Hafnium, a threat actor believed to be a nation state, was exploiting these zero-day vulnerabilities in Exchange.
Since then, cybercriminals have used these Microsoft Exchange vulnerabilities as a way to launch a variety of nefarious campaigns. Most recently, SophosLabs found that cybercriminals were using a compromised Exchange server to host a malicious Monero cryptominer payload, while leveraging the ProxyLogon exploit to target other vulnerable servers. Before that, ransomware operators took advantage of the same ProxyLogon vulnerabilities to launch DearCry and Black Kingdom ransomware attacks on organizations and extort them for payment in exchange for returning access to their files.
So, if Microsoft has issued patches for these Exchange vulnerabilities and the CISA is urging organizations to patch on-premises Exchange Servers, why are these attacks still happening?
Unfortunately, many organizations have still neglected to patch their systems or perform security scans to see if attackers are in the systems, leaving them exposed as easy targets for these various attacks. The time to act and eliminate these vulnerabilities from cybercriminals’ toolboxes is now, and there are a few ways that channel partners can help.
Steps Partners Can Take to Protect Against Exploits
First and foremost, partners can and should play a key role in making sure customers are patching all on-premises Microsoft Exchange servers in their environments with the relevant security update. Details can be found on Microsoft’s Exchange Team blog. However, it is important to note that even with the patches installed, this will not address the presence of any malicious web shells.
If a customer believes the organization has been exposed, channel partners should consult the Sophos MTR team’s step-by-step guide on how to search a customer’s network for signs of compromise. After patching or disabling servers that could potentially be exploited, Sophos recommends:
- Determining possible exposure by downloading and running the Test-ProxyLogon.ps1script provided by the Microsoft Customer Support Services team
- Looking for web shells or other suspicious .aspx files
- Using a query to identify potential web shells to investigate, check patch level of your servers, and look for suspicious commands
- Establishing impact by Review process activity and command executions from the time the web shell was created, onward
Leveraging Threat Hunting to Avoid a Scare
Threats such as Hafnium are a great example of a situation in which having an elite team of threat hunters and response experts to back your organization can offer peace of mind. When the Hafnium news first broke, the Sophos Managed Threat Response (MTR) team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. Additionally, it looked to uncover any new artifacts or IoCs related to the attack that could provide further protection for all Sophos customers, and has been tracking all new threats closely since.
The 24/7 nature of Sophos MTR meant that not a single second was wasted before the team got to work, ensuring our customers were protected. If a non-MTR customer is seeing signs that they may be experiencing related adversarial activity, Sophos recommends they contact the Sophos Rapid Response team immediately.
This guest blog is part of a Channel Futures sponsorship.