Hafnium ALERT: Recommendations to remediate Exchange Server vulnerability

News 16th March 2021

On March 2nd, zero-day vulnerabilities affecting on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 were publicly disclosed. These vulnerabilities are being actively exploited in the wild by Hafnium and other threat actors.

Sophos strongly recommends you take this threat seriously and act immediately, if you have not already done so. Whether that is educating your customers using the links below, or taking action if you manage their infrastructure. Sophos is regularly updating the Hafnium articles with the latest information and detections.

HAFNIUM: Advice about the new nation-state attack

At a minimum you should:

• Backup Exchange/IIS Server logs then patch all Exchange servers
• Patching only ensures that your customer cannot be breached again. If they have already been breached, they will continue to be vulnerable even after patching
• If your customer has a Sophos EDR product, perform a threat hunt by running queries to determine the possible exposure
• Remove web shells and change passwords on all Exchange Servers
• Ensure endpoint protection is deployed on all endpoints and servers

The Sophos Managed Threat Response (MTR) team has published detailed guidance on how to respond to Hafnium. If you need expert assistance to determine exposure or remediate the situation, there are services available to help:

Managed Threat Response (MTR) – a managed security service that can perform threat hunting to identify adversarial activity in your environment and neutralize the situation

Rapid Response (RR) – If you have identified an active attack in your environment and need immediate assistance to neutralize the attack, this service is available