Several vulnerabilities were recently discovered in Microsoft Exchange Server products, which can be exploited by malicious individuals to gain a foothold into an Exchange server. This exploit is known as Hafnium, and can also be used as the entry point to get deeper into the organizational network, as often the Exchange servers are publicly exposed.
This exploit only affects On-Premise Microsoft Exchange servers, and does not affect Exchange Online or Microsoft 365.
What does Hafnium do?
The threat actor, or malicious individual, uses the vulnerabilities to gain access to the on-premise Microsoft Exchange server. This gives them access to email accounts and other data, and also allows the installation of additional malware to facilitate long-term access to victim environments. Obviously, this is a most undesired situation. For more information, please see the links at the end of this article.
Have Microsoft released patches for Exchange?
Yes, there are patches available. See this page at Microsoft for more details.
Update - Since this page was originally published, Microsoft have released a "One click mitigation tool" which makes updating the server easier. More details at Microsoft's own page
But are you protected by F-Secure?
Yes you are.
F-Secure Deepguard, part of all of our Windows Endpoint clients, can detect abnormal activity performed by UmWorkerProcess.exe, which is one of the actions Hafnium takes. There are also other detections in place. We will continue to monitor the situation, and add further detections as needed.
With our Software Updater, which is part of Server Protection and Server Security Premium, Exchange installations can be detected to see if they are outdated, and also upgraded the the latest versions from Microsoft.
The F-Secure Endpoint Detection and Response (EDR) Sensor used in the F-Secure Rapid Detection and Response product can detect and alert the administrator when Hafnium starts performing its system activities/attacks after making use of the exploit to gain initial access. The same sensor is also used in the F-Secure Rapid Detection Service product.
F-Secure Radar can detect an unpatched Exchange software, as part of an authenticated scan and also a regular network based scan, reporting that it has identified vulnerabilities. Additionally, the new Radar Endpoint Agent, can also detect these vulnerabilities.
So, F-Secure has a solution for you and your customers. Several solutions, in fact.
Other useful links
Microsoft have a blog post about Hafnium, as have Volexity
The United States Cybersecurity and Infrastructure Security Agency also have an article on this subject.