Cyber Incident Response – Hafnium Zero-day Attack
Our cyber incident response team has worked across the globe on ransomware attacks, 0-days, insider threats and account compromise.
Early in 2021 Microsoft announced a number of 0-day exploits that we’re being actively used to attack on-premise MS Exchange servers. Following this announcement we saw a large spike in attacks across Europe with our associates also being called into a number of incidents.
The internal IT team at this small European Internet Service Provider, had observed suspicious activity on the MS Exchange Server. They were highly concerned due to the nature of the business that they run and the impact it could have on their customers.
Initially the team reached out to one of their Managed IT Support Providers for assistance, who realised they wouldn’t be able to assist because of the specialist nature of the work. The Managed IT Support Provider works closely with First Response for security consultancy and made a referral for the Internet Service Provider.
Our cyber incident response team worked closely with both teams to conduct a through investigation of the situation. This included an analysis of the MS Exchange Server logs along with the wider network and endpoint infrastructure logs. The First Response Incident Response team also deployed specialist software across the environment to look for further suspicious activity, indicators of attack and indicators of compromise.
Following a full forensic investigation and root-cause analysis across the infrastructure, First Response were able to conclude that the attackers were unable to pivot beyond the initially compromised server.
This meant that the there was no requirement to report the breach under the General Data Protection Regulation (GDPR) and that the IT team could focus on implementing the recommendations made by First Response.
HOW WE CAN HELP
If you have a cybersecurity incident, believe you are under attack or have been compromised, then call us immediately for assistance on 020 7193 4905 or email us as incident [at] first-response.co.uk