Hafnium

TLP

TLP CLEAR

Author

David Deflache

Summary

Microsoft has detected China-linked state-sponsored group HAFNIUM using zero-day exploits to target on-premises Microsoft Exchange Servers. The group gained access to servers, email accounts, and installed malware. Vulnerabilities CVE-2021-26855, -26857, -26858, and -27065 were patched in the latest release. Exchange Online is unaffected. HAFNIUM’s targets include US entities like research, law, education, defense, and NGOs. They exploit internet-facing server flaws and use open-source tools like Covenant for control. They often exfiltrate data to MEGA. The group has also engaged with Office 365 tenants for reconnaissance. HAFNIUM works from leased US virtual private servers.

TIMELINE

DATA

We are consistently providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

windows_security.xml_Download

references

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://github.com/hackerschoice/CVE-2021-26855/blob/main/PoC_proxyLogon.py

TLP

Author

Summary

TIMELINE

DATA

CATEGORY

references

MITRE ATT&CK

CONTACT US

OUR NEWSLETTER

TLP

Author

Summary

TIMELINE

DATA

CATEGORY

references

MITRE ATT&CK

CONTACT US

SOCIAL MEDIA

OUR NEWSLETTER