Summary

Microsoft has detected China-linked state-sponsored group HAFNIUM using zero-day exploits to target on-premises Microsoft Exchange Servers. The group gained access to servers, email accounts, and installed malware. Vulnerabilities CVE-2021-26855, -26857, -26858, and -27065 were patched in the latest release. Exchange Online is unaffected. HAFNIUM’s targets include US entities like research, law, education, defense, and NGOs. They exploit internet-facing server flaws and use open-source tools like Covenant for control. They often exfiltrate data to MEGA. The group has also engaged with Office 365 tenants for reconnaissance. HAFNIUM works from leased US virtual private servers.