cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nielsb
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 18

HAFNIUM targeting Exchange Servers with 0-day exploits

Hi patch now HAFNIUM targeting Exchange with 0day exploit.

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange ...

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

What is McAfee's detection for the  0-day exploits in ENS, MVISON Insights, MVISION EDR or SIEM?

 

17 Replies
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

Hi @Nielsb 

It looks like this is on going issue. 

If you have samples or any advisories regarding this, I request you to raise an SR with our MALWARE team and we will request to add detections.

Was my reply helpful?

If yes, please give me a kudo. 

If I have answered your queries, kindly mark this as solution and we together can help other community members. 

 

Nielsb
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

Hi Yaz,

Thank you for your reply

You can find the IOC's in Microsofts blog post:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Host IOCs Hashes

Web shell hashes

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Paths

We observed web shells in the following paths:

  • C:\inetpub\wwwroot\aspnet_client\
  • C:\inetpub\wwwroot\aspnet_client\system_web\
  • In Microsoft Exchange Server installation paths such as:
    • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
    • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

The web shells we detected had the following file names:

  • web.aspx
  • help.aspx
  • document.aspx
  • errorEE.aspx
  • errorEEE.aspx
  • errorEW.aspx
  • errorFF.aspx
  • healthcheck.aspx
  • aspnet_www.aspx
  • aspnet_client.aspx
  • xx.aspx
  • shell.aspx
  • aspnet_iisstart.aspx
  • one.aspx

 Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

 

yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

HI @Nielsb 

Unfortunately, none of the provided hashes is not covered in our current DAT/AMCORE. 

Can you kindly raise an SR with the details or raise an SR referring this community post?

This helps us to track down issues and assist you with the issues.

Was my reply helpful?

If yes, please provide me with Kudo.

If I have answered your query, kindly mark this as solution so that together we help other community members.

Nielsb
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

Hi Yaz,

Thanks for checking the hashes

My SR 4-21759554671 and I will refer to the post in the community

 

yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

Hi @Nielsb 

Our assigned Technical Support Engineer will work with you in resolving this issue.  

 

th3stinger
Level 9
Report Inappropriate Content
Message 7 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

Any estimation on when a DAT /ExtraDAT will be released? 

In the mean time , any particulur "signature/application rule" that we can hardenin the Exploit prevention policy for our exchange servers? 

 
IanMFE1
Level 7
Report Inappropriate Content
Message 8 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

#following.. Any update?

yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

We are working with our Labs Engineering on this issue. I will post further updates as soon as it becomes available. As @Nielsb did, if any queries or concerns, we would request you to raise an SR and an Engineer will be auto assigned and helping you with the requests.

As soon as Coverage information becomes available, I will post further updates to this thread. 

Was my reply helpful?

If yes, kindly give me a Kudo.

If I have answered your query, kindly mark this as solution, so that together we help other community members. 

galih27
Level 9
Report Inappropriate Content
Message 10 of 18

Re: HAFNIUM targeting Exchange Servers with 0-day exploits

hello mcafee team is there any updated info
related to this problem for the product mcafee endpoint security + edr

is the first step to overcoming time

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community