製品の対応
Exchange Serverの脆弱性(CVE-2021-26855等)に対するトレンドマイクロ製品のソリューションは以下となります。
| トレンドマイクロの対策 | 検出名/ポリシー/ルール名 | ||
| Deep Discovery Inspector Rule | Rule 4527 : CVE-2021-26855 - Exchange Server Side Request Forgery Exploit SB - HTTP (REQUEST) | ||
| Rule 4532: CVE-2021-26855 - Exchange Server Side Request Forgery Exploit - HTTP (REQUEST) - Variant 2 | |||
| Tippingpoint Filter Rule | Rule 39101 : HTTP: Microsoft Exchange Server Side Request Forgery Vulnerability | ||
| Deep Security | Rule 1010854: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855) | ||
| DPI(Deep Packet Inspection) | |||
弊社で確認している、本脆弱性を利用した攻撃キャンペーンに対応したソリューションは以下となります。
| トレンドマイクロの対策 | パターン番号 | リリース日 | 検出名/ポリシー/ルール名 |
| ウィルスパターン (VSAPI/Smart Scan) | 16.585.00 | 10-Mar-21 | Trojan.ASP.SECCHECKER.A |
| 16.583.00 | 9-Mar-21 | Backdoor.ASP.SECCHECHECKER.A | |
| 16.585.00 | 10-Mar-21 | Backdoor.ASP.CHOPPER.ASPGIG | |
| 16.587.00 | 11-Mar-21 | Backdoor.ASP.WEBSHELL.UWMANM | |
| 16.587.00 | 11-Mar-21 | Trojan.PS1.BOXTER.A | |
| スパイウェアパターン (SSAPI/Smart Scan) | 2.389.00 | 10-Mar-21 | HackTool.PS1.PowerCat.A |
| Deep Security DPI(Deep Packet Inspection) | Rule 1010855: - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities | ||
| Rule 1007170 - Identified Suspicious China Chopper Webshell Communication (ATT&CK T1100) | |||
| Tippingpoint Filter Rule | ThreatDV malware filters | Rule : 39283 HTTP: Covenant Grunt Runtime Detection (Default Profile - Plaintext) | |
| Rule : 39284 HTTP: Covenant Grunt Runtime Detection (Default profile - Base64 Encoded) | |||
| Rule : 39285 HTTP: Backdoor.Shell.Krypcoihilo.A Runtime Detection | |||
| Rule : 39295 HTTP: Whafnium Webshell Payload Detected | |||
| post-exploitation detection filters | Rule : 26898: Tunneling: reGeorg SOCKS Proxy Checkin Traffic | ||
| Rule : 26899: Tunneling: reGeorg SOCKS Proxy Traffic Checkin Response | |||
| Rule : 26900: Tunneling: reGeorg SOCKS Proxy Sending Command Traffic | |||
| Rule : 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command) | |||
| Rule : 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands) | |||
| Rule : 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands) | |||
| Rule : 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands) | |||
| Rule : 35779: HTTP: China Chopper ASP/JSP Webshell Payload Detection | |||
| Rule : 36192: HTTP: China Chopper ASP Webshell Payload Only Detection | |||
■SECURITY ALERT: Microsoft Exchange 0-Day Exploit Detection, Protection and Response
https://success.trendmicro.com/solution/000285882