Sophos Zero Day



Sophos Zero Day

On March 2nd 2021, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state. According to an alert from the CISA:

Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.

Sophos Zero Day Full

Zero Day Attack Prevention- Essential Tips. First the bad news: it is very difficult, almost impossible, in fact, to identify a zero-day vulnerability. You need to have some serious IT and software skills to recognize a zero-day vulnerability. And even then, you need to be really lucky to catch one. Zero Day Attack Prevention- Essential Tips. First the bad news: it is very difficult, almost impossible, in fact, to identify a zero-day vulnerability. You need to have some serious IT and software skills to recognize a zero-day vulnerability. And even then, you need to be really lucky to catch one.

Intercept

On April 22, Sophos published a knowledge base entry on the Sophos Community regarding the discovery of a zero-day vulnerability in the Sophos XG Firewall that was exploited in the wild. According to Sophos, they were able to identify “an attack against physical and virtual XG Firewall units” after reviewing the report of a “suspicious field value” in the XG Firewall’s management.

Sophos

CISA issued an emergency directive urging organizations to patch on-premises Exchange Servers while performing associated security scans to see if attackers are in the systems.

What should Sophos customers do?

The Sophos MTR team has published a step-by-step guide on how to search a customer’s network for signs of compromise.

The good news is that Sophos MTR, network, and endpoint customers have multiple protections against the exploitation of the new vulnerabilities.

Sophos

A Sophos News article has been published which reviews many of these protections:

Sophos

Sophos Zero Day Free

  • Related AV signatures that have blocked HAFNIUM, and advice on what to do if they’ve been triggered
  • Queries Sophos EDR customers can run to identify potential web shells for investigation
  • IPS signatures for Sophos Firewall customers

Multiple security advisories have already been sent to MTR customers outlining the issue and what the MTR is doing to keep customers protected.

Sophos Managed Threat Response (MTR) and Rapid Response

Organizations have been requesting more info over the past few days about what services Sophos has that can validate their exposure. Sophos MTR Advanced is the ideal solution to stay protected against advanced attacks like HAFNIUM.

Existing MTR customers can rest easy knowing that the MTR was immediately looking for any related activity in their networks.

Sophos Xg Firewall Zero Day

If a non-MTR customer is seeing signs that they may be experiencing related adversarial activity we recommend they contact the Sophos Rapid Response team immediately.





Comments are closed.