Description

On March 02, 2021, Microsoft published a detailed report addressing four previously unknown or zero-day vulnerabilities in Microsoft Exchange Server used in targeted attacks.

HAFNIUM has exploited Exchange email service that allowed them to gain access to internal systems.

This package requires Threat Intelligent Platform package which can be downloaded at https://marketplace.microfocus.com/arcsight/content/esm-default-content.

This package also comes with IoC data feed from PWC (https://www.pwc.com/), which is stored in the following 3 active lists:

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Addresses

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Domain

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Hash


Following use cases are covered in this package:

  • Dangerous Browsing to a Suspicious Hafnium URL
  • Hafnium Detected by Vendor
  • Inbound Traffic from a Hafnium Suspicious Address
  • Inbound Traffic from a Hafnium Suspicious Domain
  • Outbound Traffic to a Hafnium Suspicious Address
  • Outbound Traffic to a Hafnium Suspicious Domain
  • Suspicious Hafnium File Hash Activity

Following MITRE ATT&CK Techniques are covered as well:

  • T1190-Exploit Public-Facing Application
  • T1566.002-Spearphishing Link


System Requirements

===========================

Micro Focus ArcSight ESM 6.9.1c or above.


Pre-installation

===========================

If Threat Intelligent Platform package is not installed, download and install it from https://marketplace.microfocus.com/arcsight/content/esm-default-content


If the following 3 active lists are customized, please backup them first.

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Addresses

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Domain

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Hash


To install this package:

===========================

The zip file contains three files: package arb file, signature of arb file, and Readme.

Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:

https:/entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do

It is required to log in using a Microfocus/Software passport (It gives the option to create an account)


Perform the following steps in the ArcSight Console.

1. Go to the ArcSight Console.

2. Click on Packages

3. Click Import

4. Select arb file from the zip file

5. Follow prompt to import and install this package


To uninstall:

===========================

Right click package from ArcSight Console, then select "Uninstall Package".


Minimum Requirements

ESM 6.9.1 and above


Threat Intelligence Platform package is required to install first.

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Releases

Release
Size
Date
Hafnium Cyber Attack Monitoring 1.0.0.0
171.8 KB
  |  
Mar 31, 2021
More info Less info
Product compatibility
ESM
Version 6.9.1 · 6.11.0
Version 7.0 · 7.1 · 7.2 · 7.3 · 7.4
Release notes

On March 02, 2021, Microsoft published a detailed report addressing four previously unknown or zero-day vulnerabilities in Microsoft Exchange Server used in targeted attacks.

HAFNIUM has exploited Exchange email service that allowed them to gain access to internal systems.

Following use cases are covered in this package:

Dangerous Browsing to a Suspicious Hafnium URL

Hafnium Detected by Vendor

Inbound Traffic from a Hafnium Suspicious Address

Inbound Traffic from a Hafnium Suspicious Domain

Outbound Traffic to a Hafnium Suspicious Address

Outbound Traffic to a Hafnium Suspicious Domain

Suspicious Hafnium File Hash Activity


Following MITRE ATT&CK Techniques are covered as well:

T1190-Exploit Public-Facing Application

T1566.002-Spearphishing Link

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the Micro Focus Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2021-4-1-3979 | Wed Apr 7 06:55:03 PDT 2021