• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Fireboxes Detect HAFNIUM Attacks in the Wild

March 29, 2021 By Trevor Collins

 

Over the last few weeks, we continue to see HAFNIUM attacks against Exchange Servers through our threat intelligence. Our Firebox feed data shows Fireboxes identifying the signature almost every day over the HTTPS proxy. Yet, Many Exchange servers remain unprotected. With Exchange Outlook Web Access (OWA)servers, Fireboxes must inspect the content of HTTPS traffic for its IPS signature to detect this exploit. This year, we only saw 21% of reporting Fireboxes inspect any encrypted content though. Since the Firebox Feed only receives information from about 12% of active Fireboxes, we can’t extrapolate this percentage across all Fireboxes. We simply don’t know how likely it is for an admin with an Exchange server to properly setup our TLS inspections, but in general we find only few do. While we don’t have enough statistics on this exploit to make predictions around who’s targeted yet, we have noticed a few trends.

  • 25 separate devices have detected these attacks through an IPS signature. Two detections were from North and South America (AMER), 23 from Europe, the Middle East and Africa (EMEA), and none from Asia-Pacific (APAC)
  • Each Firebox received an average of 6 IPS detections related to the HAFNIUM Attacks.
  • We see 50 IP addresses making up the detections with some IPs targeting multiple devices. Some devices also see multiple attacks from different IPs.
  • One device detected Generic.SecChecker.A.7CFC55B3, a Web Shell that identifies if the server runs one of several endpoint detections. Read more about this shell in a section here.

We suspect threat actors first scan networks for these vulnerabilities and may come back later to further exploit them. These hits per Firebox seem slightly low compared to other signatures we identify. In the long run, we suspect HAFNIUM attacks on networks will increase as will the number of attacks per network. Even though these attacks target the Exchange server, they technically target OWA’s webmail, and thus use the HTTP protocol with TLS (HTTPS). Ensure that you enable content inspection through the HTTPS proxy to protect your Exchange/OWA server.

 

 

Share This:

Related

Filed Under: Uncategorized Tagged With: feed, HAFNIUM

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • When Trying to Catch ‘Em All, Leave This RAT Alone

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • The RCE Vulnerability That Wasn’t
  • When Trying to Catch ‘Em All, Leave This RAT Alone
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use