Team: Huntress EDR
Product: Exchange Patch Management, HAFNIUM
Environment: Exchange Server
Summary: Exchange servers are highly targeted and often prone to 0-Day Exploits like HAFNIUM. We recommend regular patching to ensure vulnerabilities are addressed as soon as possible.
If you're reading this article, you are probably aware that there's a 0-day Microsoft Exchange Server exploit that was uncovered. We are regularly updating this support article with details as we learn more. The article also includes information about what to expect from Huntress.
Last updated: March 7, 2021 23:00 ET
Related Technical articles:
- Huntress Reddit: Mass exploitation of on-prem Exchange servers
- Huntress Blog:Rapid Response: Mass Exploitation of on-prem Exchange Servers
What is Huntress Doing?
- We are contacting partners that have Exchange Servers we believe to be unpatched. The check is performed by the Huntress agent--we are not checking hosts externally.
- We are actively looking for the presence of web shells on hosts with affected versions of Exchange installed. We will send reports for any web shells we identify.
- Please note the web shell detection and reporting differs from our foothold detection. As such, the reports for web shells do not automatically close. If you have remediated the web shell, feel free to reach out to Support by Clicking here
or emailing support@huntress.io and we will manually close the incident report.
- Please note the web shell detection and reporting differs from our foothold detection. As such, the reports for web shells do not automatically close. If you have remediated the web shell, feel free to reach out to Support by Clicking here
- We've started a Reddit thread and a blog post with all the information we have gathered.
Patch Status
At this time support is unable to verify the patch status of individual servers. Please review our blog or Reddit post to assist you with this.
What do I need to do?
Read over Microsoft's Security post here: HAFNIUM targeting Exchange Servers with 0-day exploits.
Read over our Reddit Thread and Huntress Blog that gives our details on what to look for--we will continue updating them as we have more information.
Make sure you have the latest Exchange Server updates. For Exchange 2013, 2016, 2019 refer to KB5000871 and for Exchange 2010 refer to KB5000978.
Comments
0 comments
Please sign in to leave a comment.