Zero-Day vulnerabilities are actively exploit — attacks against local US government agencies.
Microsoft Exchange Server — Zero-Day Vulnerabilities
Mandiant the information security industry acquired by FireEye observed multiple instances of abuse of Microsoft Exchange Server.
On March 2, Microsoft warned that the four zero-day vulnerabilities being exploited by threat actors in the wild:
A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
Also considered as CRITICAL severity.
is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program.
However, exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server.
In addition, this requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858, CVE-2021-27065
A post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.
However, They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
According to Microsoft, HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Moreover, HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
In addition, after exploiting the vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server.
Where, web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
In short, Exchange users are urged to update their software as quickly as possible.
Web shell hashes
Microsoft Defender Antivirus detections
Please note that some of these detections are generic detections and not unique to this campaign or these exploits.
- Backdoor:JS/Webshell (not unique)
- Trojan:JS/Chopper!dha (not unique)
- Behavior:Win32/DumpLsass.A!attk (not unique)
- Backdoor:HTML/TwoFaceVar.B (not unique)