Description
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities that may be related to Microsoft Exchange vulnerabilities exploited by HAFNIUM.
For more information on the vulnerabilities being exploited, see the FortiGuard Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server
Scope
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
2. Unzip Fortinet_SOC-MS-Exchange-Attack-Detection-v3.zip
3) Use Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities that may be related to Microsoft Exchange vulnerabilities exploited by HAFNIUM.
For more information on the vulnerabilities being exploited, see the FortiGuard Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server
What is included in
Fortinet_SOC-MS-Exchange-Attack-Detection-v3.zip?
1) Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json
This event handler helps identify exploits on MS.Exchange server vulnerabilities detected by IPS (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). In additional, it also alerts on data exfiltration attempts detected by FortiGate's AV signatures.
1) Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json
This event handler helps identify exploits on MS.Exchange server vulnerabilities detected by IPS (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). In additional, it also alerts on data exfiltration attempts detected by FortiGate's AV signatures.
Logs triggering the event handler are generated from
FortiGate. Therefore FortiGate must be configured properly to block the
exploit and prevent data exfiltration in order to generate the logs.
For
the FortiGate to block the exploit when deployed in front of Exchange
server, IPS signature must be updated to 18.030 or above.
For
the FortiGate to block hashes identified by Microsoft to prevent data
exfiltration, AntiVirus signature must be updated 84.00475 or above.2) Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3.dat
A report to summarize findings on attack attempts to exploit MS.Exchange server vulnerabilities, as detected by AV & IPS on FortiGate devices.
See the Solution section for instruction on how to load the event handler into
a FortiAnalyzer unit.
Scope
The custom Event Handler provided can be used in FortiAnalyzer 6.4+.
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-MS-Exchange-Attack-Detection-v3.zip file
(contains 2 files)
3) Use Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json
Result: Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported4) Use Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3.dat to import into Reportsa. Choose a Fabric ADOM (if ADOMs are enabled)b. Choose the Report modulec. Select the Import option under "More"d. Select Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3.dat
Result: 'Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3' can be run anytime as determined by an admin user.Related Articles
