
Hafnium
HafniumMicrosoft Exchange Server Zerodays
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
What remediation steps should I take?
- The steps in Have I been compromised? section help establish the scope of possible exploitation: scanning, unauthorized email access, establishment of persistence via web shells, or post-exploitation activity.
- Follow applicable remediation workflows:
- Was post-compromise activity related to credential harvesting or lateral movement detected by Microsoft Defender for Endpoint or during manual investigation?
- Engage your incident response plan. Share the investigation details to your incident response team.
- If you are engaging with CSS Security or Microsoft Detection and Response Team (DART), and you are a Microsoft Defender for Endpoint customer, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
- Were web shells detected?
- Clean and restore your Exchange Server:
- Preserve forensic evidence if your organization requires evidence preservation.
- Disconnect the Exchange Server from the network, either physically or virtually via firewall rules.
- Restart Exchange Server.
- Stop W3WP services.
- Remove any malicious ASPX files identified via the investigation steps above.
- Delete all temporary ASP.NET files on the system using the following script:
- Clean and restore your Exchange Server:
- Was post-compromise activity related to credential harvesting or lateral movement detected by Microsoft Defender for Endpoint or during manual investigation?
iisreset /stop
$tempAspDir = "$env:Windir\Microsoft.NET\Framework64\$([System.Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion())\Temporary ASP.NET Files"
mkdir 'C:\forensicbackup'
Copy-Item -Recurse -Path $tempAspDir -Destination 'C:\forensicbackup'
rm -r -Force $tempAspDir
iisreset /start
- Run a full EOMT.ps1 scan via “.\EOMT.ps1 -RunFullScan”. See Have I been compromised? for additional instructions for running EOMT.ps1.
- Apply Security Updates. See How do I mitigate the threat?
- Reset administrator credentials.
- Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.
- Was mailbox access and exfiltration detected?
- Disconnect Exchange Server from the network.
- Apply Security Updates.
- Run a full EOMT.ps1 scan via “.\EOMT.ps1 -RunFullScan”. Have I been compromised? for additional instructions for running EOMT.ps1.
- Resume operation.
- Was scan-only adversary behavior detected?
- Disconnect Exchange Server from the network.
- Apply Security Updates.
- Resume operation.
Source: https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/#How_do_I_mitigate_the_threat
Observed Countries249
AD (608)
AE (554)
AF (640)
AG (436)
AI (847)
AL (429)
AM (342)
AO (800)
AQ (138)
AR (135)
AS (906)
AT (322)
AU (895)
AW (742)
AX (905)
AZ (838)
BA (149)
BB (417)
BD (729)
BE (458)
BF (876)
BG (556)
BH (177)
BI (691)
BJ (192)
BL (405)
BM (235)
BN (233)
BO (946)
BQ (305)
BR (16)
BS (699)
BT (339)
BV (505)
BW (422)
BY (889)
BZ (702)
CA (50)
CC (846)
CD (831)
CF (539)
CG (956)
CH (165)
CI (711)
CK (846)
CL (701)
CM (578)
CN (302)
CO (953)
CR (255)
CU (561)
CV (854)
CW (500)
CX (804)
CY (642)
CZ (112)
DE (187)
DJ (100)
DK (524)
DM (714)
DO (331)
DZ (906)
EC (378)
EE (696)
EG (548)
EH (912)
ER (923)
ES (72)
ET (374)
FI (602)
FJ (385)
FK (172)
FM (594)
FO (736)
FR (160)
GA (850)
GB (243)
GD (903)
GE (120)
GF (600)
GG (159)
GH (620)
GI (606)
GL (109)
GM (16)
GN (210)
GP (709)
GQ (931)
GR (547)
GS (177)
GT (899)
GU (89)
GW (585)
GY (594)
HK (888)
HM (205)
HN (660)
HR (516)
HT (311)
HU (575)
ID (755)
IE (307)
IL (397)
IM (146)
IN (691)
IO (614)
IQ (240)
IR (950)
IS (552)
IT (152)
JE (127)
JM (557)
JO (368)
JP (786)
KE (316)
KG (895)
KH (725)
KI (666)
KM (176)
KN (535)
KP (405)
KR (886)
KW (186)
KY (59)
KZ (800)
LA (89)
LB (282)
LC (140)
LI (559)
LK (374)
LR (399)
LS (860)
LT (361)
LU (491)
LV (572)
LY (404)
MA (611)
MC (229)
MD (280)
ME (790)
MF (151)
MG (493)
MH (748)
MK (40)
ML (524)
MM (939)
MN (358)
MO (782)
MP (782)
MQ (407)
MR (592)
MS (487)
MT (374)
MU (555)
MV (831)
MW (324)
MX (751)
MY (748)
MZ (421)
NA (61)
NC (314)
NE (107)
NF (476)
NG (220)
NI (285)
NL (78)
NO (715)
NP (249)
NR (769)
NU (220)
NZ (85)
OM (992)
PA (912)
PE (23)
PF (48)
PG (678)
PH (946)
PK (51)
PL (318)
PM (571)
PN (177)
PR (65)
PS (716)
PT (329)
PW (381)
PY (417)
QA (703)
RE (283)
RO (367)
RS (784)
RU (845)
RW (96)
SA (4)
SB (532)
SC (812)
SD (370)
SE (205)
SG (518)
SH (915)
SI (491)
SJ (694)
SK (226)
SL (788)
SM (840)
SN (893)
SO (790)
SR (847)
SS (32)
ST (303)
SV (62)
SX (949)
SY (916)
SZ (963)
TC (336)
TD (365)
TF (858)
TG (113)
TH (903)
TJ (258)
TK (461)
TL (35)
TM (775)
TN (696)
TO (860)
TR (81)
TT (551)
TV (35)
TW (144)
TZ (604)
UA (270)
UG (476)
UM (806)
US (52)
UY (51)
UZ (300)
VA (154)
VC (894)
VE (739)
VG (605)
VI (895)
VN (595)
VU (853)
WF (327)
WS (873)
YE (622)
YT (344)
ZA (194)
ZM (208)
ZW (707)