Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

1 min read

HAFNIUM targeting Exchange Servers with 0-day exploits

Picture of Daniel Guidry Daniel Guidry : Mar 3, 2021 12:00:00 AM

Cybersecurity Advisory Cybersecurity Controls

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Affected Software / System

Microsoft Exchange Server

CVE(s) Being Exploited)

CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065


Type

0-Day Exploit


Exploit Status: 

The CVE’s listed above are being actively exploited in the wild.


Rating

High – Severity


Impact

In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.


Ingalls recommends the following actions:

  • Ingalls recommends verifying all Microsoft Exchange Server security updates are current.
  • Ingalls recommends verifying the following MDR tools are deployed on your Exchange Server:
    • Ingalls Windows Log Forwarding Agent
    • Install BlackBerryPROTECT and OPTICS
    • If BlackBerryPROTECT and OPTICS are installed, verify that the current version of .NET is installed and both PROTECT and OPTICS are up-to-date.
    • Notify your Ingalls Security Operations Center (SOC) if you have an on-prem Exchange Server.


Additional Resources:
Vulnerability Found in Microsoft Exchange Server

Vulnerability Found in Microsoft Exchange Server

Mar 10, 2020 12:00:00 AM

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. ...

Read More
PrintNightmare Update (CVE-2021-34527)

PrintNightmare Update (CVE-2021-34527)

Jul 7, 2021 12:00:00 AM

Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be...

Read More
Critical Patches Issued for Microsoft Products, June 09, 2020

Critical Patches Issued for Microsoft Products, June 09, 2020

Jun 15, 2020 12:00:00 AM

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful...

Read More