Over the last few weeks, we continue to see HAFNIUM attacks against Exchange Servers through our threat intelligence. Our Firebox feed data shows Fireboxes identifying the signature almost every day over the HTTPS proxy. Yet, Many Exchange servers remain unprotected. With Exchange Outlook Web Access (OWA)servers, Fireboxes must inspect the content of HTTPS traffic for its IPS signature to detect this exploit. This year, we only saw 21% of reporting Fireboxes inspect any encrypted content though. Since the Firebox Feed only receives information from about 12% of active Fireboxes, we can’t extrapolate this percentage across all Fireboxes. We simply don’t know how likely it is for an admin with an Exchange server to properly setup our TLS inspections, but in general we find only few do. While we don’t have enough statistics on this exploit to make predictions around who’s targeted yet, we have noticed a few trends.
- 25 separate devices have detected these attacks through an IPS signature. Two detections were from North and South America (AMER), 23 from Europe, the Middle East and Africa (EMEA), and none from Asia-Pacific (APAC)
- Each Firebox received an average of 6 IPS detections related to the HAFNIUM Attacks.
- We see 50 IP addresses making up the detections with some IPs targeting multiple devices. Some devices also see multiple attacks from different IPs.
- One device detected Generic.SecChecker.A.7CFC55B3, a Web Shell that identifies if the server runs one of several endpoint detections. Read more about this shell in a section here.
We suspect threat actors first scan networks for these vulnerabilities and may come back later to further exploit them. These hits per Firebox seem slightly low compared to other signatures we identify. In the long run, we suspect HAFNIUM attacks on networks will increase as will the number of attacks per network. Even though these attacks target the Exchange server, they technically target OWA’s webmail, and thus use the HTTP protocol with TLS (HTTPS). Ensure that you enable content inspection through the HTTPS proxy to protect your Exchange/OWA server.