Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog

Hafnium

Avatar photoByDetecteam 2023-09-012023-09-01

TLP

TLP CLEAR

Author

David Deflache

Summary

Microsoft has detected China-linked state-sponsored group HAFNIUM using zero-day exploits to target on-premises Microsoft Exchange Servers. The group gained access to servers, email accounts, and installed malware. Vulnerabilities CVE-2021-26855, -26857, -26858, and -27065 were patched in the latest release. Exchange Online is unaffected. HAFNIUM’s targets include US entities like research, law, education, defense, and NGOs. They exploit internet-facing server flaws and use open-source tools like Covenant for control. They often exfiltrate data to MEGA. The group has also engaged with Office 365 tenants for reconnaissance. HAFNIUM works from leased US virtual private servers.

TIMELINE

DATA

We are consistently providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

windows_security.xml_Download

CATEGORY

Dataleak

references

  • https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
  • https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  • https://github.com/hackerschoice/CVE-2021-26855/blob/main/PoC_proxyLogon.py

MITRE ATT&CK

Post Tags: #T1005 - Data from Local Syste#T1027 - Obfuscated Files or Information#T1041 - Exfiltration Over C2 Channel#T1059 - Command Line Interface#T1078 - Valid Accounts#T1114 - Email Collection#T1485 - Data Destruction#T1490 - Inhibit System Recovery#T1497 - Virtualization/Sandbox Evasion#T1590 - Conduct Reconnaissance
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search