A compromised Exchange Server allows attackers to move laterally and unleash further attacks like ransomware. The primary attack involved deploying web shells, giving the attacker access to the Exchange Server. It’s likely that if you have an internet-facing Microsoft Exchange Server, it was compromised due to the haphazard attacks launched before Microsoft released the Exchange patches. You may also want to visit our previous blog titled, “How to Detect and Search for SolarWinds IOCs in LogRhythm” to learn how to perform threat hunts using IOC lists here.Ī threat actor group known as Hafnium by Microsoft have been tied to compromising Microsoft Exchange servers with several zero-day vulnerabilities. We have curated a list of IOCs you can add into lists for threat hunts on our GitHub page here.Review NextGen Firewall, Intrusion Detection Systems (IDS), EDR, and AV logs involving your Exchange infrastructure from January 5 th to the present.Use the Microsoft Indicator of Compromise (IOC) scanning tool on recommended systems.Look for AI Engine events involving your Exchange infrastructure (Host Names, IPs, Privileged Users and Service Accounts) starting January 5 th, 2021 to the present.It’s been reported that the attackers launched a massive compromise attack against 60,000+ Exchange Servers before patches became available, and many other attackers are actively looking for exploited Exchange servers. First and foremost, apply patches to the Exchange infrastructure.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |