 back to blog

Hafnium Attack Exploits On-premise Microsoft Exchange Servers

By
John Mancini
,
Product Management
and
|
March 4, 2021
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

On Tuesday March 2nd, Microsoft Threat Intelligence Center (MTIC) disclosed details on a campaign being called Hafnium that is targeting on-premises Microsoft Exchange Servers. The attack leverages several 0-day exploits in Exchange and allows the attackers to bypass authentication, including multi-factor authentication (MFA) to access e-mail accounts within targeted organizations and remotely execute malware on vulnerable Microsoft Exchange servers and facilitate long-term access.

The attack started with a global scan for any vulnerable external facing Microsoft Exchange servers. When a server of interest was identified, the attackers leveraged a zero-day server-side request forgery (SSRF) remote exploit to upload a web shell known as China Chopper. This web shell allowed attackers to steal email data and potentially move deeper into the network environment.

It should be noted that is vulnerability does not appear to impact Microsoft Office 365.

Vectra customers with Detect should review any detections associated with their Exchange servers. The reverse shell documented in the attacks will trigger an External Remote Access detection and exfiltration of data from the exchange server over that channel will trigger a Smash & Grab alert. Any signs of internal reconnaissance or lateral movement from the Exchange server should be reviewed carefully, as these alerts would indicate attacker movement deeper into the network.

Detecting Hafnium:remote access detection

Vectra customers with Recall or Stream should review connections to and from their Exchange server. In instances where Vectra sensors have visibility into out-to-in traffic to their Exchange servers, teams should check for connection attempts from any of the following IPs: 165.232.154.116, 157.230.221.198, and 161.35.45.41. Use the below queries to find potentially impacted hosts. 

{

 "query": {

   "bool":{

    "should": [

       {

        "match_phrase": {

          "id.orig_h": "165.232.154.116"

         }

       },

       {

        "match_phrase": {

          "id.orig_h": "157.230.221.198"

         }

       },

       {

        "match_phrase": {

          "id.orig_h": "161.35.45.41"

         }

       }

     ],

    "minimum_should_match": 1

   }

 }

}

As always, Vectra recommends that customers update their Exchange servers with the available patches from Microsoft as soon as possible, or limit the external access to these Exchange servers until a patch can be applied.

To learn more how Vectra can help you if you think you may have been compromised by the breach, schedule a demo to see how Vectra can detect and stop attacks like these in your organization or contact us.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch
CONTACTREQUEST A DEMO