This article
describes how to use FortiDeceptor Deception Decoys and Lure to detect activities
related to Microsoft Exchange vulnerabilities exploited by HAFNIUM.
For more information on the vulnerabilities being exploited, see the FortiGuard
Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of
Microsoft Exchange Server
Cyber Deception Against HAFNIUM:
The HAFNIUM group uses several RCE (remote code execution) exploits against the Microsoft Exchange server and runs a web shell backdoor to move further inside the network.
The RCE (remote code execution) exploits allow the attacker writing web shells (ASPX files) to execute malicious activities like dumping credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally inside the network.
Using the combination of Deception Decoys in the network focusing on the data center segments (“crown jewels”) and Deception lures deployed across servers and endpoints will discover the attack in the reconnaissance phase.
1. A threat actor that uses RCE (remote code execution) exploits and runs a web shell on the exchange server to collect intelligence from the server and network around to move laterally.
2. Collecting intelligence using dumping credentials, file access, and network scanning (passive/active) will provide a mixed mode of real & fake network information.
3. Fake information can be like fake cache credentials, fake files, fake network drives, fake network connections, and more.
4. Using any of the fake data against the network will detect the threat actor and trigger a real-time alert to automate a threat mitigation response to block or isolate the threat actor.
FortiDeceptor V.3.2.1, V.3.3 – Deception Decoys & Lures- full network deployment
FortiDeceptor is Part of the Fortinet Security Fabric.
https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.