Protect your organization from the Hafnium attack targeting Microsoft Exchange Server.
Organizations should activate their incident response plans immediately. Once mitigations have been successfully put in place, we recommend updating incident response playbooks, testing resiliency with tabletop exercises, and conducting a targeted threat hunt.
Activate incident response plan and team to assess risk and preserve evidence.
Investigate for indicators of compromise to isolate suspicious systems across the vendor landscape.
Pinpoint compromised servers and take them offline.
Remediate by reimaging and blocking traffic to and from impacted servers.
Update incident response playbooks, test resiliency with tabletop exercises, and conduct a targeted threat hunt.
Adopt an integrated platform approach with extended detection and response together with zero-trust network segmentation.
Are you impacted? Contact Cisco Talos Incident Response. We are available globally, 24 hours a day, every day of the year. Contact us: 1-844-831-7715 or +44 808 234 6353.
Talos offers a step-by-step guide to defend Microsoft Exchange from encrypted attacks.
Simplify breach defense with a platform built into the Cisco Secure portfolio that connects to your existing infrastructure for unified visibility, turnkey simplicity, and enhanced efficiency, turning disjointed solutions into a fully integrated defense.
Our platform approach delivers the broadest XDR capabilities supported by machine-learning and behavioral analytics to connect intelligent detections to confident responses.
Trusted expertise delivers a full suite of proactive and emergency services that helps enterprises prepare, respond, and recover from a breach effectively.
Every Cisco Secure customer is entitled to the SecureX platform. See the value of SecureX integrations today and unlock every Cisco Secure product's full potential, speeding your investment time to value.
The integrated approach of the Cisco SecureX cloud-native security platform provides simplicity, visibility, and efficiency across your security infrastructure. Capabilities are integrated within each product's console, achieving the industry's broadest XDR.
Cisco Secure products | Hafnium coverage |
---|---|
Cisco SecureX | Secure X provides visibility to customers when any of a customer's SecureX modules detect an interaction with any of the domains or file hashes known to be involved with Hafnium. The customer is redirected to a SecureX threat response investigation of all indicators of compromise (IoCs) contained in the Talos Threat Advisory at the time of its publication. Workflows and orchestration can automate the response to future threats posted in Talos blogs. |
Cisco Talos Incident Response (IR) | Cisco Talos Incident Response has developed a plan of action (PoA) specifically for Hafnium responses that have been tested and validated in multiple compromised environments. Utilize the full suite of proactive and emergency servers to respond to and recover from the attack. |
Cisco Secure Endpoint | Secure Endpoint displays a Hafnium event notice in the console to inform customers of the attack. Retrospective detection alerts are based on our ongoing threat intelligence and threat hunting activities for Premier subscriptions. It also employs multiple blocking technologies—including behavioral protection and static detection—to detect/block/quarantine Hafnium web shells that are trying to be installed. The live query function of Secure Endpoint can query mailbox requests to see if emails have been downloaded and look for backdoors that may be present on servers. Additionally, Secure Endpoint offers retrospective detection/blocking based on Talos's threat intelligence. |
Cisco Umbrella | Cisco Umbrella, our secure internet gateway (SIG), is a cloud-delivered security service that blocks users from connecting to malicious IPs, URLs, and files associated with this attack. It protects users on and off the corporate network. The Umbrella dashboard may be updated to provide attribution for the currently known and future IoCs to Hafnium activity within Umbrella's threat reporting. |
Cisco Secure Network Analytics and Secure Cloud Analytics | Secure Network Analytics and Secure Cloud Analytics help detect anomalous behaviors and issue observations or alerts based on this unusual new activity. Customers can leverage IoCs such as Outbound Traffic Spike alert, Bad Protocol observation, New Profile observation, and Static Port Deviation observation. Customers can research any prior interactions with known indicators such as IP addresses tracked by Talos. |
Cisco Secure Workload | Secure Workload can be used to identify compromised or affected assets using Talos-published IoCs. It can also be leveraged to apply primary mitigations as recommended by the Cybersecurity and Infrastructure Security Agency (CISA), including restricting network traffic to least privilege. IoCs can be found via Secure Workload process forensics, Secure Workload process hash, Secure Workload vulnerability detection, and Secure Workload connection anomaly. |
Network security | Network security appliances such as Secure Firewall, Secure IPS, Cisco ISR, and Meraki MX can detect malicious activity associated with the Hafnium threat. Snort IDs have been published. See details on our Talos blog post. |
Cisco Secure Web Appliance | Cisco Secure Web Appliance (WSA) prevents access to malicious websites and detects malware used in these attacks. |
Cisco Secure Malware Analytics | Secure Malware Analytics helps identify malicious binaries and build protection into all Cisco Secure products. It makes use of robust search capabilities, correlations, and detailed static and dynamic analyses as well as tools that allow users to safely interact with samples and observe malware behavior directly. |
Cisco Endpoint Security Analytics | Endpoint Security Analytics brings together the endpoint behavioral visibility of the Cisco AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform to help address the endpoint visibility gap left behind by traditional EDR/EPP solutions. It provides the ability to associate what endpoint accessed what domain, as well as what software processes and protocols were used, enabling immediate visibility to what endpoints are exposed. |
Sorry, no results matched your search criteria(s). Please try again.