Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire will be a sponsor at the Seattle CyberSecurity Conference.
eSentire will be a Sponsor at the NetDiligence Cyber Risk Summit in…
eSentire will be presenting and is a Gold Sponsor at the CyberRisk…
THE THREAT
On March 2nd 2021 Microsoft released security updates for multiple 0-day vulnerabilities in on-premises versions of Exchange. Microsoft also published a threat research report describing technical details related to these attacks.
Microsoft has indicated these attacks are limited and targeted in nature and attributes the activity to a threat actor group dubbed HAFNIUM. Customers should prioritize the patching of affected products immediately.
When exploited, these vulnerabilities permit access to on-premises Exchange servers enabling unauthorized access to email. Additionally, Microsoft reports attackers employed webshell malware to maintain access to compromised Exchange servers. Exchange Online is not affected by these vulnerabilities.
What we’re doing about it
What you should do about it
Additional information
The recent critical vulnerabilities are as follows and affect Microsoft Exchange Server versions 2013, 2016, and 2019.
CVE-2021-26855 (CVSS Score: 9.1/10) – Is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange, which allows a threat actor to send an arbitrary HTTP request and authenticate as the Exchange server.
CVE-2021-26857 (CVSS Score: 7.8/10) – Is an insecure deserialization vulnerability in the Unified Messaging service and requires administrator privileges or the use of another vulnerability to exploit. This vulnerability gave HAFNIUM the controls to run code as SYSTEM on an exchange server.
CVE-2021-26858/CVE-2021-27065 (CVSS Score: 7.8/10) – Are post-authentication arbitrary file write vulnerabilities in Microsoft Exchange and require either compromising an admin’s credentials or the use of CVE-2021-26855.
The vulnerabilities above were used as a part of the attack chain by HAFNIUM, which required the initial ability to make an untrusted connection to a Microsoft Exchange server on port 443. While this can be mitigated by setting up a VPN to separate the Exchange server from external access or by restricting untrusted connections, it will only protect users from the initial portion of the attack. Threat actors can use alternative means to exploit these vulnerabilities, such as convincing an administrator to run a malicious file or if the attacker already gained access to the environment via other means.
All of these vulnerabilities should receive a high priority for patching as exploitation was observed and attributed to state-sponsored group HAFNIUM.
References:
[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[2] https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/