Microsoft has recently just announced a security update with regards to a set of new exploits found being primarily used by a state-sponsored threat actor based in China which Microsoft has called Hafnium. The previously unknown exploits used by Hafnium targets on-premise exchange server software to gain initial access to the network by disguising themselves as someone with access privilege. They then create what is known as a web shell to gain control over the compromised server remotely, making it easy to steal data.
Affected Servers and the Remediation
The exploits used by Hafnium targets Microsoft Exchange Servers, so users of Microsoft Exchange Online are not affected. Below are the versions that can be targeted by the exploits:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Microsoft highly recommends that businesses with the affected Exchange servers immediately update them with the latest security updates to ensure protection against the exploits. If you are unable to immediately do so for all servers, Microsoft has said that you need to first prioritize external facing servers as they are the most vulnerable to these attacks but ultimately you would need to update them all to stay safe. Listed below are the security patches released by Microsoft for each exploit:
Is it possible to check if I have been already affected by these exploits?
Microsoft has released a detailed guide on ways to check you network logs to see if you have been affected, you may refer to this link if you would like to read more on it.
Security researchers have recently demonstrated at the security conference DEF CON 2018 a vulnerability that can be exploited via HP OfficeJet All-in-One Printers. It is being dubbed “Faxploit” by the researchers, Eyal Itkin and Yaniv Balmas. The attack takes advantage of security flaws in the implementation of the fax protocol used by OfficeJet printers, making many businesses susceptible to the attacks.
The researchers have stated that for this particular exploit, all the attackers need is a fax number to exploit the vulnerability, which they can then hijack the network and all systems connected to it. They then can infect the network with their malware or even worse, outright steal your business’ important data. Researchers have said that the impact of this exploit is not a small one as it is surveyed that businesses have actually increased their fax usage by almost 82% in 2017, so even with many new technologies, fax is still one of the most used ways to move documents.
Faxploit is yet another example where unsecured devices that businesses use on a daily basis can result into vulnerabilities in their network that many cyber criminals can use to steal data or hold them ransom. Especially now that the Internet-of-things (IoT) ready devices are getting more and more mainstream, attackers are finding more ways to hit businesses where they are at least protected since this is more or less still in the beginning phases. These threats can stay longer in the system due to the device’s inability to protect itself, making attacks stealthier and more destructive to the organizations network.
However, HP has released patches for the vulnerabilities (CVE-2018-5924 and CVE-2018-5925) and users are recommended to apply the firmware updates to make sure they will not be affected.
For those who are interested in a more proactive approach for these types of attacks, Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.
To learn more about “Faxploit” you may read Trend’s original article here, or you may contact us at 893-9515 and we will be happy to answer your inquiries!