![]() ![]() For more color, stealing the AD database implies that the adversary will have domain administrator privilege, so this is important to investigate. I don’t know about you, but whenever I see an adversary stealing copies of my Active Directory (AD) database, that sends chills down my spine because, at that point, I am rebuilding my entire AD from scratch as part of my remediation effort. You may be thinking, “another Tuesday filled with patches, just like any other month.” That may be true to some extent, but it is essential to point out based on Volexity’s blog that: “In all cases of RCE (remote code execution), Volexity has observed the attacker writing web shells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.” ![]() This does not, however, prevent an internal attacker from exploiting the vulnerability. This includes the ability to run code as SYSTEM and write to any path on the server.Ī temporary mitigation for these vulnerabilities from external threats is restricting access to OWA, such as placing the OWA server behind a VPN to prevent external access. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. Three additional vulnerabilities ( CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. While the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability ( CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. ![]() On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. Introduction to HAFNIUM and the Exchange Zero-Day Activity Otherwise, read on for a quick breakdown of what happened, how to detect it, and MITRE ATT&CK mappings. If you want just to see how to find HAFNIUM Exchange Zero-Day Activity, skip down to the “detections” sections. ![]()
0 Comments
Leave a Reply. |