After little more than a month of reprieve, the infosec community is, once again, back into it. This time the target, though, is even more prevalent than SolarWinds’ Orion. Now the target is Microsoft’s Exchange, and the exploited vulnerability allows for remote code execution (or RCE). We’ve distilled down the facts of the HAFNIUM attack to answer the most important questions.
Table of Contents
On 2 March 2021, Microsoft released a blog article detailing a new threat actor it had dubbed HAFNIUM. Microsoft, the blog identified, has observed the actor exploiting several 0-day vulnerabilities.
Microsoft also highlighted that the HAFNIUM group had previously targeted other organizations. The group, Microsoft identified, has focused on the exploitation of Internet-facing services in the past.
Later that same day, the company Volexity also released a blog article. In their article, they identified that they observed the attacks beginning as early as 3 January 2021.
Hot on the heels of the Microsoft and Volexity blogs, other vendors began to contribute information. On 4 March 2021, FireEye’s Mandiant Intelligence release their own blog post. In it, FireEye identified that they tracked the activity under three separate activity clusters:
One particularly important point in this blog article is that FireEye detected this activity all the way back in January 2021. The article also highlighted various TTPs and tools the actors used. This included:
They also described the actors’ method of deploying webshells on compromised Exchange servers. These webshells were unique though. The webshells detected the presence of specific security products and warn the actors. The security products it detected included FireEye, Carbon Black and Crowdstrike. They described the actors technique of dropping more complex webshells over time. This appears to be to avoid detection.
In time, other vendors have also come forward, including Symantec. They identified that they track HAFNIUM, under the name Ant.
Attribution can be a tricky topic in cyber threat intelligence. Despite this fact, several sources, including Microsoft, have indicated that the HAFNIUM group is “… state-sponsored and operating out of China …”
At this point, the targeting of HAFNIUM appears opportunistic. Indeed, since Microsoft released their initial blog, the actors have “… stepped up attacks on any vulnerable, unpatched Exchange servers (2013, 2016, and 2019) worldwide.” The HAFNIUM group, though, has targeted organizations in the past.
As both Microsoft and FireEye mentioned, HAFNIUM is a group with a bit of track record. Microsoft identified that they have targeted several industries in the past. These included
FireEye also mentioned that they had observed several industries affected by the new attack, including
They also identified that there is possible related activity observed in Asia as well
Since early January, the actors have been exploiting several 0-day vulnerabilities in Exchange. The vulnerabilities, which affect on-premise versions of Microsoft Exchange only, are:
Once the actors establish a foothold in the environment, they will deploy one or more web shells. These are small bits of code that gives the actors control over the system. Once in the environment, the actors use a variety of techniques.
T1003.001 – OS Credential Dumping: LSASS Memory
T1059.001 – Command and Scripting Interpreter: PowerShell
T1114.001 – Email Collection: Local Email Collection
T1136 – Create Account
T1003.003 – OS Credential Dumping: NTDS
T1021.002 – Remote Services: SMB/Windows Admin Shares
T1005 – Data from Local System
T1027 – Obfuscated Files or Information
T1046 – Network Service Scanning
T1059 – Command and Scripting Interpreter
T1070 – Indicator Removal on Host
T1071 – Application Layer Protocol
T1074.002 – Data Staged: Remote Data Staging
T1083 – File and Directory Discovery
T1110 – Brute Force
T1190 – Exploit Public-Facing Application
T1505 – Server Software Component
T1560.001 – Archive Collected Data: Archive via Utility
T1589.002 – Gather Victim Identity Information: Email Addresses
T1590.002 – Gather Victim Network Information: DNS
The bulk of the campaign appears to have taken place over February and March 2021.
What you should do next will likely depend on a few factors.
To get Cyborg Security’s HAFNIUM Community Defense Measures, click the botton below. No sign up required!