Recently, Microsoft came out with information to help their customers understand the strategies used by HAFNIUM to attack the vulnerabilities of unpatched systems.
What Is HAFNIUM?
HAFNIUM typically targets entities in the U.S. across several business sectors, including law firms, infectious disease researchers, education organizations, policy think tanks, defense contractors, and NGOs.
What Do Microsoft Users Need to Know?
Once HAFNIUM gains initial access to your system, they will deploy something known as a web shell. These web shells allow intruders to steal your data and perform other actions to manipulate your system.
Unfortunately, HAFNIUM can also download an Exchange offline address book if your system was compromised. This means that they can access information regarding the corresponding organization and users.
Have My Systems Been Compromised?
To check in on your server activity, we recommend using the following:
- Exchange server logs
- Azure Sentinel
- Microsoft Defender for Endpoint
- Microsoft 365 Defender
There are a few things you can do to be safe and check for any compromised servers. You should always:
- Make sure your security updates are current.
- Check the patch levels of your Microsoft Exchange Server.
- Scan the Exchange log files to search for any unusual activity.
Leave It to the Professionals
If you are worried that you were affected by a HAFNIUM attack, it is always best to reach out to an IT professional to guide you through a safe process to restore your systems. If you are looking for more information regarding the defense of Microsoft Exchange Servers, we recommend reading this blog.