Campaigns
Hafnium

Hafnium

HafniumMicrosoft Exchange Server Zerodays
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

What remediation steps should I take?

  • The steps in Have I been compromised? section help establish the scope of possible exploitation: scanning, unauthorized email access, establishment of persistence via web shells, or post-exploitation activity.
    • Decide between restoring your Exchange Server or moving your mail services to the cloud. You can engage with FastTrack for data migration assistance for Office 365 customers with tenants of 500+ eligible licenses.
  • Follow applicable remediation workflows:
    • Was post-compromise activity related to credential harvesting or lateral movement detected by Microsoft Defender for Endpoint or during manual investigation?
      • Engage your incident response plan. Share the investigation details to your incident response team.
      • If you are engaging with CSS Security or Microsoft Detection and Response Team (DART), and you are a Microsoft Defender for Endpoint customer, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
    • Were web shells detected?
      • Clean and restore your Exchange Server:
        • Preserve forensic evidence if your organization requires evidence preservation.
        • Disconnect the Exchange Server from the network, either physically or virtually via firewall rules.
        • Restart Exchange Server.
        • Stop W3WP services.
        • Remove any malicious ASPX files identified via the investigation steps above.
        • Delete all temporary ASP.NET files on the system using the following script:

iisreset /stop
$tempAspDir = "$env:Windir\Microsoft.NET\Framework64\$([System.Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion())\Temporary ASP.NET Files"
mkdir 'C:\forensicbackup'
Copy-Item -Recurse -Path $tempAspDir -Destination 'C:\forensicbackup'
rm -r -Force $tempAspDir
iisreset /start

    • Was mailbox access and exfiltration detected?
      • Disconnect Exchange Server from the network.
      • Apply Security Updates.
      • Run a full EOMT.ps1 scan via “.\EOMT.ps1 -RunFullScan”. Have I been compromised? for additional instructions for running EOMT.ps1.
      • Resume operation.
    • Was scan-only adversary behavior detected?
      • Disconnect Exchange Server from the network.
      • Apply Security Updates.
      • Resume operation. 

      Source: https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/#How_do_I_mitigate_the_threat

      Observed Countries249

      AD (608)
      AE (554)
      AF (640)
      AG (436)
      AI (847)
      AL (429)
      AM (342)
      AO (800)
      AQ (138)
      AR (135)
      AS (906)
      AT (322)
      AU (895)
      AW (742)
      AX (905)
      AZ (838)
      BA (149)
      BB (417)
      BD (729)
      BE (458)
      BF (876)
      BG (556)
      BH (177)
      BI (691)
      BJ (192)
      BL (405)
      BM (235)
      BN (233)
      BO (946)
      BQ (305)
      BR (16)
      BS (699)
      BT (339)
      BV (505)
      BW (422)
      BY (889)
      BZ (702)
      CA (50)
      CC (846)
      CD (831)
      CF (539)
      CG (956)
      CH (165)
      CI (711)
      CK (846)
      CL (701)
      CM (578)
      CN (302)
      CO (953)
      CR (255)
      CU (561)
      CV (854)
      CW (500)
      CX (804)
      CY (642)
      CZ (112)
      DE (187)
      DJ (100)
      DK (524)
      DM (714)
      DO (331)
      DZ (906)
      EC (378)
      EE (696)
      EG (548)
      EH (912)
      ER (923)
      ES (72)
      ET (374)
      FI (602)
      FJ (385)
      FK (172)
      FM (594)
      FO (736)
      FR (160)
      GA (850)
      GB (243)
      GD (903)
      GE (120)
      GF (600)
      GG (159)
      GH (620)
      GI (606)
      GL (109)
      GM (16)
      GN (210)
      GP (709)
      GQ (931)
      GR (547)
      GS (177)
      GT (899)
      GU (89)
      GW (585)
      GY (594)
      HK (888)
      HM (205)
      HN (660)
      HR (516)
      HT (311)
      HU (575)
      ID (755)
      IE (307)
      IL (397)
      IM (146)
      IN (691)
      IO (614)
      IQ (240)
      IR (950)
      IS (552)
      IT (152)
      JE (127)
      JM (557)
      JO (368)
      JP (786)
      KE (316)
      KG (895)
      KH (725)
      KI (666)
      KM (176)
      KN (535)
      KP (405)
      KR (886)
      KW (186)
      KY (59)
      KZ (800)
      LA (89)
      LB (282)
      LC (140)
      LI (559)
      LK (374)
      LR (399)
      LS (860)
      LT (361)
      LU (491)
      LV (572)
      LY (404)
      MA (611)
      MC (229)
      MD (280)
      ME (790)
      MF (151)
      MG (493)
      MH (748)
      MK (40)
      ML (524)
      MM (939)
      MN (358)
      MO (782)
      MP (782)
      MQ (407)
      MR (592)
      MS (487)
      MT (374)
      MU (555)
      MV (831)
      MW (324)
      MX (751)
      MY (748)
      MZ (421)
      NA (61)
      NC (314)
      NE (107)
      NF (476)
      NG (220)
      NI (285)
      NL (78)
      NO (715)
      NP (249)
      NR (769)
      NU (220)
      NZ (85)
      OM (992)
      PA (912)
      PE (23)
      PF (48)
      PG (678)
      PH (946)
      PK (51)
      PL (318)
      PM (571)
      PN (177)
      PR (65)
      PS (716)
      PT (329)
      PW (381)
      PY (417)
      QA (703)
      RE (283)
      RO (367)
      RS (784)
      RU (845)
      RW (96)
      SA (4)
      SB (532)
      SC (812)
      SD (370)
      SE (205)
      SG (518)
      SH (915)
      SI (491)
      SJ (694)
      SK (226)
      SL (788)
      SM (840)
      SN (893)
      SO (790)
      SR (847)
      SS (32)
      ST (303)
      SV (62)
      SX (949)
      SY (916)
      SZ (963)
      TC (336)
      TD (365)
      TF (858)
      TG (113)
      TH (903)
      TJ (258)
      TK (461)
      TL (35)
      TM (775)
      TN (696)
      TO (860)
      TR (81)
      TT (551)
      TV (35)
      TW (144)
      TZ (604)
      UA (270)
      UG (476)
      UM (806)
      US (52)
      UY (51)
      UZ (300)
      VA (154)
      VC (894)
      VE (739)
      VG (605)
      VI (895)
      VN (595)
      VU (853)
      WF (327)
      WS (873)
      YE (622)
      YT (344)
      ZA (194)
      ZM (208)
      ZW (707)