Potential exposure to Hafnium Microsoft Exchange targeting

high Nessus Plugin ID 147193

Synopsis

Detects potential IOCs for Hafnium

Description

This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been targeted in the Hafnium campaign. It is recommended that the results are manually verified and appropriate remediation actions taken.

Note that Nessus has not tested for this issue but has instead looked for .aspx files that could potentially indicate compromise.

Solution

Microsoft has released security updates KB5000978 and KB5000871 to address this issue

See Also

http://www.nessus.org/u?847fa0d0

https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883

Plugin Details

Severity: High

ID: 147193

File Name: hafnium_ioc_detect.nbin

Version: 1.51

Type: local

Agent: windows

Family: Windows

Published: 3/8/2021

Updated: 9/19/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2021-27065

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server

Required KB Items: installed_sw/Microsoft Exchange, SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/2/2021

Vulnerability Publication Date: 3/2/2021

CISA Known Exploited Dates: 4/16/2021

Exploitable With

Metasploit (Microsoft Exchange ProxyLogon RCE)

Reference Information

CVE: CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

CISA-NCAS: AA22-011A