The analytics that have helped us detect these intrusions-and, to some extent, the remediation process for cleaning up after a successful compromise-are relevant for detection and remediation of web shells and post-exploitation activity in general, regardless of whether it’s related to the recently patched vulnerabilities or not.
We do not know for certain whether all of the malicious activity we’re seeing is the result of adversaries targeting the vulnerabilities that Microsoft addressed in its security bulletin last week, but we assess that it’s likely, based on the timing and victimology. In the week that’s passed since, we’ve issued dozens of potentially related threat detections. On February 28, a few days before the release of Microsoft’s security bulletin, we started to observe a noticeable increase in suspicious web shell activity emanating from Microsoft Exchange servers. While Microsoft initially attributed these attacks to a suspected Chinese state-sponsored group that it calls “HAFNIUM,” over the last few days it’s become clear that numerous activity clusters are exploiting these vulnerabilities. News broke last week that suspected state-sponsored adversaries have developed exploits for multiple zero-day vulnerabilities in Microsoft Exchange server-and that they are leveraging those exploits to conduct targeted attacks against an unknown number of organizations around the world.
0 kommentar(er)
