- Introduction
- Advisories, Analysis, and Countermeasures
- CVE's Exploited
- Tools Used in the Attack
- Methodology of Attack
- Detection
- CVE Detections
- Microsoft defender Queries
- Azure Sentinel Detections
- Sentinel Queries
- Powershell Queries
- STIX Object
- Indicators
- IP addresses
- Hashes
- Paths
- Web Shell Names
- YARA Rules by Volexity
- User Agents
- Contribution
In a major revelation on March 2, 2021, Microsoft published a blog detailing the detection of multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Researchers from Volexity and Dubex also contributed to the discovery of this attack chain.
Threat actors used the vulnerabilities to access on-premises Exchange servers which, in turn, enabled them to access email accounts and install additional malware to gain long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributed the attack campaign with high confidence to HAFNIUM, which is believed to be a state-sponsored group operating out of China, based on observed victimology, tactics, and procedures.
Microsoft has released new security updated to address the vulnerabilities. In this blog, we dive into the indicators of compromise (IOCs), tools used in the attacks, methodology, detection mechanisms, and more.
The affected systems show tendencies of an automated scan and hack, which prompt that the threat actor group Hafnium, likely used an automation script to exploit vulnerable devices at scale. By implanting a web shell, the threat actors were able to create a backdoor on the vulnerable exchange servers, which allowed them further exploitation.
The affected networks seem to be more of small and medium-sized organizations rather than larger enterprises, the reason for which can be that the larger enterprises often use email systems based out of the cloud. In a press conference, White House press secretary Jen Psaki urged that everyone running the vulnerable Exchange servers should immediately patch them.
- Cyware Labs : List of All CVEs and IOCs Used by HAFNIUM to Target Microsoft Exchange Servers
- Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
- Volexity: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
- DHS Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- US-CERT: Mitigate Microsoft Exchange Server Vulnerabilities
- US Cert: Updated Release
- Wired: Chinese Hacking Spree Hit an 'Astronomical' Number of Victims
- AlientVault: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
These are the CVE IDs of the vulnerabilities exploited by Hafnium in the Microsoft Exchange Server attack:
- ASP Web shells
- MiniDump
- Procdump
- 7-Zip
- PsExec
- Exchange PowerShell snap-ins
- Nishang
- Powercat
- ASP web shells to initially exploit and perform additional malicious actions
- Procdump to dump the LSASS process memory
- 7-Zip to compress stolen data into ZIP files for exfiltration
- Exchange PowerShell snap-ins to export mailbox data
- Nishang Invoke-PowerShellTcpOneLine reverse shell
- PowerCat from GitHub, then using it to open a connection to a remote server
Information regarding the CVE's exploited and detection mechanisms can be found here
A list of Microsoft Defender AV queries, both specialised for the HAFNIUM attack and generic detection can be found here
HAFNIUM Suspicious Exchange Request
HAFNIUM UM Service writing suspicious file
HAFNIUM New UM Service Child Process
HAFNIUM Suspicious UM Service Errors
HAFNIUM Suspicious File Downloads
A collection of Sentinel queries, used to detec the behaviours of this attack can be found here
A list of malicious IP addresses can be found here
A list of hashes that indicate the presence of the ASP web shells used in the attackcan be found here
A list of common paths used by HAFNIUM to download the web shells can be found here
A list of names commonly used by the webshells can be found here
Security firm Volexity has published a list of YARA rules which assist defenders in analysing the attack which can be found here
While these cannot be used as indicators, a list of user agents that were used to make the malicious requests can be found here
We are always on the lookout for latest indicators, detection mechanisims and relations. If you note something we have missed or which you would like to add, please raise an issue or create a pull request!