On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.

Sophos customers are protected from the exploitation of the new zero-day vulnerabilities affecting Microsoft Exchange.

• Sophos News: Protecting Sophos customers from HAFNIUM

How Sophos Managed Threat Response (MTR) can help

Threats such as HAFNIUM are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and response experts.

When the HAFNIUM news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. Additionally, they also looked to uncover any new artifacts or IoCs related to the attack that could provide further protection for all Sophos customers.

The 24/7 nature of Sophos MTR meant that not a single second was wasted before the team got to work, ensuring our customers were protected.

SophosLabs has also published detections related to the known activity and IOCs related to the Exchange vulnerability. This is in addition to previous protections already in place to detect post-exploit activity.

Concerned about HAFNIUM? Contact Sophos MTR today to ensure that any potential adversarial activity in your environment is identified and neutralized.

Endpoint Detection & Response: Querying Hafnium with Sophos EDR

How to utilize Sophos Live Discover to query your machines and see if there are any suspect web shells related to Hafnium. (Thanks to Karl_Ackerman)

More info

• Live Discovery & Response Query: Hafnium check
• Sophos News: HAFNIUM: Advice about the new nation-state attack
• NakedSecurity: Serious Security: Webshells explained in the aftermath of HAFNIUM attacks