SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft discloses 89 vulnerabilities, 14 critical, as part of monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year. There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server. All organizations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack. Administrators should also immediately apply the published patches to vulnerable Exchange Servers. Outside of Exchange Server, this month’s security update provides patches for several other pieces of software, including Azure Sphere, the SharePoint file-sharing service and the .hevc video file extension.
Reference: https://blog.talosintelligence.com/2021/03/microsoft-patch-tuesday-for-march-2021.html
Snort SIDs: 54518, 57233, 57234, 57241 - 57246, 57252, 57253, 57259 - 57268, 57269 and 57274 - 57276
Title: Microsoft Exchange Server vulnerabilities highlights HAFNIUM threat actor
Description: Microsoft disclosed several critical vulnerabilities in Exchange Server last week, stating that a state-sponsored actor known as “HAFNIUM” was behind the attacks. This threat actor exploited four vulnerabilities to steal emails, the most severe of one is a zero-day server-side request forgery (SSRF) vulnerability. HAFNIUM is a newly identified threat actor. According to Microsoft, the group usually targets industries such as military contractors, infections disease research, legal, education and think tanks. Microsoft stated that the group is likely based out of China, but relies on leased virtual private servers in the U.S. While HAFNIUM was first known for exploiting these Exchange Server vulnerabilities, it is likely they will switch their tactics now that the vulnerabilities are public.
Reference: https://duo.com/decipher/hafnium-attack-group-exploiting-four-exchange-zero-days
Snort SIDs: 57235 - 57240
Title: Microsoft discloses 89 vulnerabilities, 14 critical, as part of monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year. There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server. All organizations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack. Administrators should also immediately apply the published patches to vulnerable Exchange Servers. Outside of Exchange Server, this month’s security update provides patches for several other pieces of software, including Azure Sphere, the SharePoint file-sharing service and the .hevc video file extension.
Reference: https://blog.talosintelligence.com/2021/03/microsoft-patch-tuesday-for-march-2021.html
Snort SIDs: 54518, 57233, 57234, 57241 - 57246, 57252, 57253, 57259 - 57268, 57269 and 57274 - 57276
Title: Microsoft Exchange Server vulnerabilities highlights HAFNIUM threat actor
Description: Microsoft disclosed several critical vulnerabilities in Exchange Server last week, stating that a state-sponsored actor known as “HAFNIUM” was behind the attacks. This threat actor exploited four vulnerabilities to steal emails, the most severe of one is a zero-day server-side request forgery (SSRF) vulnerability. HAFNIUM is a newly identified threat actor. According to Microsoft, the group usually targets industries such as military contractors, infections disease research, legal, education and think tanks. Microsoft stated that the group is likely based out of China, but relies on leased virtual private servers in the U.S. While HAFNIUM was first known for exploiting these Exchange Server vulnerabilities, it is likely they will switch their tactics now that the vulnerabilities are public.
Reference: https://duo.com/decipher/hafnium-attack-group-exploiting-four-exchange-zero-days
Snort SIDs: 57235 - 57240