SOC Incident Toolkit
Back to Campaigns
Hafnium

Hafnium

HafniumMicrosoft Exchange Server Zerodays

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Indicators of Compromise

Hashes (10)

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d02fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e729442b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad165149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea

IPv4 (18)

91.192.103.435.2.69.14165.232.154.11680.92.205.81104.250.191.1105.254.43.18185.250.151.72104.140.114.110203.160.69.66167.99.168.251108.61.246.56157.230.221.198211.56.98.146192.81.208.169149.28.14.16389.34.111.11182.18.152.10586.105.18.116

Notes

<p>The IOCs containing the <font color="#eb647b"><b>file names</b></font> are given below.<br></p><p><br></p><p>web.aspx</p><p>help.aspx</p><p>document.aspx</p><p>errorEE.aspx</p><p>errorEEE.aspx</p><p>errorEW.aspx</p><p>errorFF.aspx</p><p>healthcheck.aspx</p><p>aspnet_www.aspx</p><p>aspnet_client.aspx</p><p>xx.aspx</p><p>shell.aspx</p><p>aspnet_iisstart.aspx</p><p>one.aspx</p><p>errorcheck.aspx</p><p>t.aspx</p><p>discover.aspx</p><p>aspnettest.aspx</p><p>error.aspx</p><p>shellex.aspx</p><p>FU7Vif5K.aspx</p><p>ICK4sMeJ.aspx</p><p>jFabdYwZ.aspx</p><p>hjmQWreC.aspx</p><p>CX47ujQS.aspx</p><p>gwVPU69R.aspx</p><p>M2gRp7Zo.aspx</p><p>XJrBqeul.aspx</p><p>Tx2tWFMb.aspx</p><p>supp0rt.aspx</p><p>HttpProxy.aspx</p><p><br></p><p>The IOCs containing the <font color="#eb647b"><b>user agents</b></font> are given below.<br></p><p><br></p><p>DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)<span style="white-space: pre;"> </span>TRUE</p><p>facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)<span style="white-space: pre;"> </span>TRUE</p><p>Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36<span style="white-space: pre;"> </span>TRUE</p><p><br></p><p>Source:&nbsp;https://github.com/stressboi/hafnium-exchange-splunk-csvs</p>

Mitigation

<p style="text-align: justify;"><span style="">The best and most complete mitigation for these threats is to update to a supported version of Exchange Server and ensure it is fully updated. If it’s not possible to immediately move to the current Exchange Server Cumulative Update and apply security updates, additional strategies for mitigation are provided below. These lesser mitigation strategies are only a temporary measure while you install the latest Cumulative Update and Security Updates.</span></p><p style="text-align: justify;"><span style=""><br></span></p><h3 style=""><b><span style="font-size: 14px;">Immediate temporary mitigations</span></b></h3><p style="">The following mitigation options can help protect your Exchange Server until the necessary Security Updates can be installed. These solutions should be considered temporary, but can help enhance safety while additional mitigation and investigation steps are being completed.</p><ul style=""><li style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline;">Run&nbsp;<a href="https://aka.ms/eomt" style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline; color: rgb(2, 116, 190); transition: all 0.2s linear 0s;"><em style="box-sizing: inherit; border: 0px; font-weight: inherit; outline: 0px; vertical-align: baseline;">EOMT.ps1</em></a>&nbsp;(<span style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: 700; outline: 0px; vertical-align: baseline;">Recommended</span>) – The Exchange On-premises Mitigation Tool (<em style="box-sizing: inherit; border: 0px; font-weight: inherit; outline: 0px; vertical-align: baseline;">EOMT.ps1</em>) mitigates CVE-2021-26855 and attempts to discover and remediate malicious files. When run, it will first check if the system is vulnerable to CVE-2021-26855 and, if so, installs a mitigation for it. It then automatically downloads and runs Microsoft Safety Scanner (MSERT). This is the preferred approach when your Exchange Server has internet access.</li><li style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline;">Run&nbsp;<em style="box-sizing: inherit; border: 0px; font-weight: inherit; outline: 0px; vertical-align: baseline;"><a href="https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchangemitigationsps1" style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline; color: rgb(2, 116, 190); transition: all 0.2s linear 0s;">ExchangeMitigations.ps1</a>&nbsp;</em>– The ExchangeMitigations.ps1 script applies mitigations but doesn’t perform additional scanning. This is an option for Exchange Servers without internet access or for customers who do not want Microsoft Safety Scanner to attempt removing malicious activity it finds.</li></ul><h3 style=""><b><span style="font-size: 14px;">Applying the current Exchange Server Cumulative Update</span></b></h3><p style="">The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates.&nbsp;<span style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: 700; outline: 0px; vertical-align: baseline;">This is the recommended solution providing the strongest protection against compromise</span>.</p><ul style=""><li style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline;">See installation instructions at&nbsp;<a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901" style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline; color: rgb(2, 116, 190); transition: all 0.2s linear 0s;">Released: March 2021 Exchange Server Security Updates</a>.</li></ul><p style="">Watch the following video for guidance on&nbsp;applying&nbsp;security updates:&nbsp;</p><p style=""><span style="font-style: inherit; font-weight: inherit;">https://www.youtube.com/embed/7gtO2G6Zack?</span><br></p><p style=""><b style="color: inherit; font-size: 19px;"><span style="font-size: 14px;">Apply security hotfixes to older Cumulative Updates</span></b><br></p><p style="">To assist organizations that may require additional time and planning to get to a supported Cumulative Update, security hotfixes have been made available. It’s important to note that applying these security hotfixes to older Cumulative Updates will mitigate against these specific Exchange vulnerabilities, but it will not address other potential security risks your Exchange Server may be vulnerable to. This approach is only recommended as a temporary solution while you move to a supported Cumulative Update.</p><ul style=""><li style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline;">See installation instructions at&nbsp;<a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020" style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline; color: rgb(2, 116, 190); transition: all 0.2s linear 0s;">March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server</a>.</li></ul><h3 style=""><b><span style="font-size: 14px;">Isolation of your Exchange Server</span></b></h3><p style="">To reduce the risk of exploitation of the vulnerabilities, the Exchange Server can be isolated from the public internet by blocking inbound connections over port 443.</p><ul style=""><li style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline;">Blocking port 443 from receiving inbound internet traffic provides temporary protection until Security Updates can be applied, but it reduces functionality as it could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network.</li><li style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline;">The most comprehensive way to complete this is to use your perimeter firewalls that are currently routing inbound 443 traffic to block this traffic. You can use&nbsp;<a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security" style="box-sizing: inherit; border: 0px; font-style: inherit; font-weight: inherit; outline: 0px; vertical-align: baseline; color: rgb(2, 116, 190); transition: all 0.2s linear 0s;">Windows Firewall</a>&nbsp;to accomplish this, but you will have to remove all inbound 443 traffic rules prior to blocking the traffic.&nbsp;</li></ul><p style="box-sizing: inherit; border: 0px; font-style: inherit; outline: 0px; vertical-align: baseline;"><span style=""><b>Source: </b><span style="font-weight: inherit;">https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/#How_do_I_mitigate_the_threat</span></span></p><p style="text-align: justify;"><br></p>