HAFNIUM Response: Cybereason is Dedicated to Defending Our Customers
March 18, 2021 |
2 minute read
Cybereason Security Team
It was recently disclosed that Microsoft Exchange offerings were severely compromised in nation-state sponsored operations by the threat group known as HAFNIUM. This incident has potentially affected tens-of-thousands of public and private organizations across the globe.
The Cybereason Incident Response Team continues to investigate the evolving HAFNIUM-related threats in order to further protect our customers against a growing number of adversaries reported to be actively targeting still-vulnerable as well as patched, but not yet fully remediated, Microsoft Exchange servers.
Here’s what you need to know about the most recent developments in the HAFNIUM attacks and how Cybereason is continuing to protect our family of defenders:
These are effectively ProxyLogon attacks that started with HAFNIUM exploiting the above-mentioned Exchange vulnerabilities or leveraging stolen account credentials to gain access to an organization’s Exchange Server. The threat actors then established a webshell for the purpose of controlling the Exchange Server remotely. Finally, the attackers remotely exfiltrated sensitive information from targeted organizations’ networks.
Three days after Microsoft’s announcement, KrebsOnSecurity reported that HAFNIUM had taken advantage of the security flaws to compromise tens of thousands of organizations based in the United States alone. Per Reuters reporting, it was the same story for tens of thousands of other organizations in Asia and Europe, including Norway’s parliament, Europe’s banking authority and the Spanish government.
Microsoft urged customers to use this script to scan for HAFNIUM’s Indicators of Compromise (IOCs) and to use these security updates to patch their affected systems. It quickly became apparent to tens of thousand of impacted organizations that patching alone would not be enough to protect systems from further intrusions.
Cybereason is Dedicated to Defending Our Customers
Cybereason puts the security of our customers first, and all of our customers were protected from the initial HAFNIUM attacks and continue to be protected from subsequent attacks by other threat actors.
The Cybereason Defense Platform provides multi-layer protection against threats like HAFNIUM. Cybereason EDR and XDR detect the post-exploitation techniques including the use of PowerCat, lsass process dumping, and the Nishang Invoke-PowershellTcpOneLine reverse shell.
In addition, the Cybereason NGAV stack prevents the execution of malware payloads and credential theft attempts at later stages of the HAFNIUM actor’s attack, as well as the most recent attacks from other threat actors leveraging the DearCry Ransomware.
If your organization is being impacted by these recent attacks, or if you have concerns about the potential your organization has been compromised, contact us immediately for containment by our expert Incident Response team.
We can also help your security team hunt for and eliminate unidentified threats through a custom Compromise Assessment. Cybereason can also work with your team to accelerate your security operations through our Managed Detection and Response services to keep your organization protected from potential compromise.
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.