Potential exposure to Hafnium Microsoft Exchange targeting

high Nessus Plugin ID 147193
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Detects potential IOCs for Hafnium

Description

This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been targeted in the Hafnium campaign. It is recommended that the results are manually verified and appropriate remediation actions taken.

Note that Nessus has not tested for this issue but has instead looked for .aspx files that could potentially indicate compromise.

Solution

Microsoft has released security updates KB5000978 and KB5000871 to address this issue

See Also

http://www.nessus.org/u?847fa0d0

https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883

Plugin Details

Severity: High

ID: 147193

File Name: hafnium_ioc_detect.nbin

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 3/8/2021

Updated: 6/9/2021

Dependencies: microsoft_exchange_installed.nbin

Risk Information

CVSS Score Source: CVE-2021-27065

VPR

Risk Factor: Critical

Score: 9.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server

Required KB Items: installed_sw/Microsoft Exchange, SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/2/2021

Vulnerability Publication Date: 3/2/2021

Exploitable With

Metasploit (Microsoft Exchange ProxyLogon RCE)

Reference Information

CVE: CVE-2021-26857, CVE-2021-26858, CVE-2021-27065