Cybersecurity Blog | Ingalls Information Security

HAFNIUM targeting Exchange Servers with 0-day exploits

Written by Daniel Guidry | Mar 3, 2021 5:00:00 AM

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Affected Software / System

Microsoft Exchange Server

CVE(s) Being Exploited)

CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065


Type

0-Day Exploit


Exploit Status: 

The CVE’s listed above are being actively exploited in the wild.


Rating

High – Severity


Impact

In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.


Ingalls recommends the following actions:

  • Ingalls recommends verifying all Microsoft Exchange Server security updates are current.
  • Ingalls recommends verifying the following MDR tools are deployed on your Exchange Server:
    • Ingalls Windows Log Forwarding Agent
    • Install BlackBerryPROTECT and OPTICS
    • If BlackBerryPROTECT and OPTICS are installed, verify that the current version of .NET is installed and both PROTECT and OPTICS are up-to-date.
    • Notify your Ingalls Security Operations Center (SOC) if you have an on-prem Exchange Server.


Additional Resources:
View full post