{"id":6676,"date":"2021-03-12T18:08:27","date_gmt":"2021-03-12T18:08:27","guid":{"rendered":"https:\/\/www.n-able.com\/?p=6676"},"modified":"2023-07-18T19:14:22","modified_gmt":"2023-07-18T18:14:22","slug":"exchange-hafnium-and-you-how-respond","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond","title":{"rendered":"Exchange, Hafnium and You. How to Respond"},"content":{"rendered":"<p>As everyone has likely heard by now, Microsoft released emergency security updates on March 2, 2021 for Microsoft Exchange. These updates addressed four zero-day vulnerabilities that were being exploited as part of an attack campaign that has been attributed to\u00a0<a class=\"ext\" href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hafnium<\/a>, a nation state backed Advanced Persistent Threat (APT) actor.<\/p>\n<h2 class=\"h3\">What Happened<\/h2>\n<p>By leveraging the below vulnerabilities, the threat actors are able to execute an attack referred to as\u00a0<a class=\"ext\" href=\"https:\/\/proxylogon.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">ProxyLogon<\/a>\u00a0that allows for pre-authentication remote code execution (RCE) on any Exchange Server 2013, 2016, or 2019, and all it takes is for port 443 to be open:<\/p>\n<ul>\n<li><a class=\"ext\" href=\"https:\/\/msrc-blog.microsoft.com\/tag\/cve-2021-26855\/\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2021-26855<\/a>\u00a0\u2013 Server-side request forgery (SSRF) that allowed arbitrary HTTP request to authenticate<\/li>\n<li><a class=\"ext\" href=\"https:\/\/msrc-blog.microsoft.com\/tag\/cve-2021-26857\/\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2021-26857<\/a>\u00a0\u2013 insecure deserialization vulnerability that allows attackers to run code as SYSTEM<\/li>\n<li><a class=\"ext\" href=\"https:\/\/msrc-blog.microsoft.com\/tag\/cve-2021-26858\/\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2021-26858<\/a>\u00a0\u2013 post-authentication arbitrary file write, allows attackers to write files to any path on the server<\/li>\n<li><a class=\"ext\" href=\"https:\/\/msrc-blog.microsoft.com\/tag\/cve-2021-27065\/\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2021-27065<\/a>\u00a0\u2013 post-authentication arbitrary file write, allows attackers to write files to any path once authenticated leveraging CVE-2021-26855 or valid admin credentials<\/li>\n<\/ul>\n<p>What you end up with is an attacker\u2019s ability to not only exfiltrate data, such as emails, but also to setup persistence in the environment and begin making lateral movements to further compromise the environment.<\/p>\n<h2 class=\"h3\">How Can You Respond<\/h2>\n<p>Most security incidents require you to respond with a set of common actions. This typically boils down to (in simplest terms) identification, remediation, mitigation, and resumption of normal activities. There can be any number of sub-divisions or recategorization of these actions, but these are the basics. The first part of this global incident response has already been done for you. The threat has been identified, now is the time to act.<\/p>\n<h2 class=\"h3\">Patching<\/h2>\n<p>This is one of those rare \u2018all-hands-on deck\u2019 situations. No matter how you achieve it, your first step should be applying the\u00a0<a class=\"ext\" href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2021-exchange-server-security-updates\/ba-p\/2175901\" target=\"_blank\" rel=\"noopener noreferrer\">security updates from Microsoft<\/a>\u00a0to deal with these vulnerabilities since it\u2019s the\u00a0 easiest step and it helps prevent you from being compromised by these vulnerabilities if you haven\u2019t already been attacked. If, for whatever reason, the updates cannot be applied to exposed systems there are\u00a0<a class=\"ext\" href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\" target=\"_blank\" rel=\"noopener noreferrer\">alternative mitigations<\/a>\u00a0available from Microsoft.<\/p>\n<p>Luckily for our partners that use\u00a0<a href=\"https:\/\/www.n-able.com\/products\/n-sight-rmm\">RMM<\/a>\u00a0or\u00a0<a href=\"https:\/\/www.n-able.com\/products\/n-central-rmm\">N&#8209;central<sup>\u00ae<\/sup><\/a>\u00a0and have Patch Management enabled it should be easy for you to approve, rollout, and verify the updates are installed. If you must apply patches manually for whatever reason, follow Microsoft\u2019s guidance.<\/p>\n<h2 class=\"h3\">Patches are Applied, What Next?<\/h2>\n<p>Applying the updates alone is not enough, this is only a mitigation step that helps protect a system from being attacked via these vulnerabilities. You still need to determine if a system has been compromised by this attack. For this, you will need to know what the Indicators of Compromise (IoC) are for this attack. The Microsoft Intelligence Center (MSTIC) has provided those\u00a0<a class=\"ext\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>\u00a0if you want to manually search for IoCs or automate your own solution.<\/p>\n<p>To save you some trouble, we have prepared a 24&#215;7 Check for RMM and a Service Monitor for N&#8209;central that can be used to check for one of the primary indicators related to the initial compromise of a system using vulnerability CVE-2021-26855. While this can help get your efforts jump started you will still have to perform additional evaluation of your Exchange Servers to validate they haven\u2019t been compromised.<\/p>\n<p>You can download the scripts here:<\/p>\n<p><a class=\"ext\" href=\"https:\/\/me.n-able.com\/s\/article\/CVE-2021-26855-IOC-N-Central\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2021-26855 IOC for N-Central<\/a><\/p>\n<p><a class=\"ext\" href=\"https:\/\/me.n-able.com\/s\/article\/CVE-2021-26855-IoC-RMM\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2021-26855 IOC for RMM<\/a><\/p>\n<p>Microsoft has also updated its\u00a0<a class=\"ext\" href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/safety-scanner-download\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Security Scanner (MSERT)<\/a>\u00a0with new signatures to identify web shells associated with ProxyLogon. Given how simple it is to use, it would be a good idea to run this as well on any suspect systems.<\/p>\n<h2 class=\"h3\">Indicators of Compromise Were Found. Now What?<\/h2>\n<p>Because this attack allows the threat actors to gain a persistent foothold in an environment, a safe assumption to operate under is that attackers have done so if you find any IoCs. Isolate the affected Exchange Server and follow the guidance provided by Microsoft\u00a0<a class=\"ext\" href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<p>It may be necessary and a good idea to bring in an outside incident response team to assist at this point as evicting an attacker who already has access can prove difficult for those without the skillset needed to deal with APT groups.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Lewis Pope is Head RMM Nerd for N&#8209;able.\u00a0<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As everyone has likely heard by now, Microsoft released emergency security updates on March 2, 2021 for Microsoft Exchange. These updates addressed four zero-day vulnerabilities that were being exploited as&#8230;<\/p>\n","protected":false},"author":62,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-6676","post","type-post","status-publish","format-standard","hentry","topic-head-nerds","topic-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Exchange, Hafnium and You. How to Respond - N-able<\/title>\n<meta name=\"description\" content=\"With Microsoft releasing a set of emergency security updates to address four zero-day vulnerabilities, Lewis Pope offers advice for implementing these updates for RMM and N-central partners.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exchange, Hafnium and You. How to Respond - N-able\" \/>\n<meta property=\"og:description\" content=\"With Microsoft releasing a set of emergency security updates to address four zero-day vulnerabilities, Lewis Pope offers advice for implementing these updates for RMM and N-central partners.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\" \/>\n<meta property=\"og:site_name\" content=\"N-able\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NableMSP\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-12T18:08:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-18T18:14:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/03\/share-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Lewis Pope\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Nable\" \/>\n<meta name=\"twitter:site\" content=\"@Nable\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lewis Pope\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\"},\"author\":{\"name\":\"Lewis Pope\",\"@id\":\"https:\/\/www.n-able.com\/es#\/schema\/person\/32c214c92846fdd7b16459b9236c12ae\"},\"headline\":\"Exchange, Hafnium and You. How to Respond\",\"datePublished\":\"2021-03-12T18:08:27+00:00\",\"dateModified\":\"2023-07-18T18:14:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\"},\"wordCount\":706,\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/es#organization\"},\"articleSection\":[\"Head Nerds\",\"Security\"],\"inLanguage\":\"es\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\",\"url\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\",\"name\":\"Exchange, Hafnium and You. How to Respond - N-able\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/es#website\"},\"datePublished\":\"2021-03-12T18:08:27+00:00\",\"dateModified\":\"2023-07-18T18:14:22+00:00\",\"description\":\"With Microsoft releasing a set of emergency security updates to address four zero-day vulnerabilities, Lewis Pope offers advice for implementing these updates for RMM and N-central partners.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Head Nerds\",\"item\":\"https:\/\/www.n-able.com\/es\/blog\/category\/head-nerds-es\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Exchange, Hafnium and You. How to Respond\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.n-able.com\/es#website\",\"url\":\"https:\/\/www.n-able.com\/es\",\"name\":\"N-able\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/es#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.n-able.com\/es?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.n-able.com\/es#organization\",\"name\":\"N-able\",\"url\":\"https:\/\/www.n-able.com\/es\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.n-able.com\/es#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"contentUrl\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"N-able\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/es#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NableMSP\",\"https:\/\/x.com\/Nable\",\"https:\/\/www.linkedin.com\/company\/n-able\",\"https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.n-able.com\/es#\/schema\/person\/32c214c92846fdd7b16459b9236c12ae\",\"name\":\"Lewis Pope\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f61d746b384dec3b7d702cd5a5e62b2d6a9722dd83df5ae50505361c3a3eadb1?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f61d746b384dec3b7d702cd5a5e62b2d6a9722dd83df5ae50505361c3a3eadb1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f61d746b384dec3b7d702cd5a5e62b2d6a9722dd83df5ae50505361c3a3eadb1?s=96&d=mm&r=g\",\"caption\":\"Lewis Pope\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Exchange, Hafnium and You. How to Respond - N-able","description":"With Microsoft releasing a set of emergency security updates to address four zero-day vulnerabilities, Lewis Pope offers advice for implementing these updates for RMM and N-central partners.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond","og_locale":"es_ES","og_type":"article","og_title":"Exchange, Hafnium and You. How to Respond - N-able","og_description":"With Microsoft releasing a set of emergency security updates to address four zero-day vulnerabilities, Lewis Pope offers advice for implementing these updates for RMM and N-central partners.","og_url":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond","og_site_name":"N-able","article_publisher":"https:\/\/www.facebook.com\/NableMSP","article_published_time":"2021-03-12T18:08:27+00:00","article_modified_time":"2023-07-18T18:14:22+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/03\/share-image.jpg","type":"image\/jpeg"}],"author":"Lewis Pope","twitter_card":"summary_large_image","twitter_creator":"@Nable","twitter_site":"@Nable","twitter_misc":{"Escrito por":"Lewis Pope","Tiempo de lectura":"4 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond#article","isPartOf":{"@id":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond"},"author":{"name":"Lewis Pope","@id":"https:\/\/www.n-able.com\/es#\/schema\/person\/32c214c92846fdd7b16459b9236c12ae"},"headline":"Exchange, Hafnium and You. How to Respond","datePublished":"2021-03-12T18:08:27+00:00","dateModified":"2023-07-18T18:14:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond"},"wordCount":706,"publisher":{"@id":"https:\/\/www.n-able.com\/es#organization"},"articleSection":["Head Nerds","Security"],"inLanguage":"es"},{"@type":"WebPage","@id":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond","url":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond","name":"Exchange, Hafnium and You. How to Respond - N-able","isPartOf":{"@id":"https:\/\/www.n-able.com\/es#website"},"datePublished":"2021-03-12T18:08:27+00:00","dateModified":"2023-07-18T18:14:22+00:00","description":"With Microsoft releasing a set of emergency security updates to address four zero-day vulnerabilities, Lewis Pope offers advice for implementing these updates for RMM and N-central partners.","breadcrumb":{"@id":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.n-able.com\/es\/blog\/exchange-hafnium-and-you-how-respond#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Head Nerds","item":"https:\/\/www.n-able.com\/es\/blog\/category\/head-nerds-es"},{"@type":"ListItem","position":2,"name":"Exchange, Hafnium and You. How to Respond"}]},{"@type":"WebSite","@id":"https:\/\/www.n-able.com\/es#website","url":"https:\/\/www.n-able.com\/es","name":"N-able","description":"","publisher":{"@id":"https:\/\/www.n-able.com\/es#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.n-able.com\/es?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/www.n-able.com\/es#organization","name":"N-able","url":"https:\/\/www.n-able.com\/es","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.n-able.com\/es#\/schema\/logo\/image\/","url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","contentUrl":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","width":"1024","height":"1024","caption":"N-able"},"image":{"@id":"https:\/\/www.n-able.com\/es#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NableMSP","https:\/\/x.com\/Nable","https:\/\/www.linkedin.com\/company\/n-able","https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw"]},{"@type":"Person","@id":"https:\/\/www.n-able.com\/es#\/schema\/person\/32c214c92846fdd7b16459b9236c12ae","name":"Lewis Pope","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/secure.gravatar.com\/avatar\/f61d746b384dec3b7d702cd5a5e62b2d6a9722dd83df5ae50505361c3a3eadb1?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f61d746b384dec3b7d702cd5a5e62b2d6a9722dd83df5ae50505361c3a3eadb1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f61d746b384dec3b7d702cd5a5e62b2d6a9722dd83df5ae50505361c3a3eadb1?s=96&d=mm&r=g","caption":"Lewis Pope"}}]}},"_links":{"self":[{"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/posts\/6676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/users\/62"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/comments?post=6676"}],"version-history":[{"count":0,"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/posts\/6676\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.n-able.com\/es\/wp-json\/wp\/v2\/media?parent=6676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}