Hafnium Attack Exploits On-premise Microsoft Exchange Servers

Hafnium Attack Exploits On-premise Microsoft Exchange Servers

Hafnium Attack Exploits On-premise Microsoft Exchange Servers

Hafnium Attack Exploits On-premise

Microsoft Exchange Servers

Hafnium Attack Exploits On-premise

Microsoft Exchange Servers

By:
投稿者:
John Mancini
March 4, 2021

On Tuesday March 2nd, Microsoft Threat Intelligence Center (MTIC) disclosed details on a campaign being called Hafnium that is targeting on-premises Microsoft Exchange Servers. The attack leverages several 0-day exploits in Exchange and allows the attackers to bypass authentication, including multifactor authentication (MFA) to access e-mail accounts within targeted organizations and remotely execute malware on vulnerable Microsoft Exchange servers and facilitate long-term access.

The attack started with a global scan for any vulnerable external facing Microsoft Exchange servers. When a server of interest was identified, the attackers leveraged a zero-day server-side request forgery (SSRF) remote exploit to upload a web shell known as China Chopper. This web shell allowed attackers to steal email data and potentially move deeper into the network environment.

It should be noted that is vulnerability does not appear to impact Microsoft Office 365.

Vectra customers with Cognito Detect should review any detections associated with their Exchange servers. The reverse shell documented in the attacks will trigger an External Remote Access detection and exfiltration of data from the exchange server over that channel will trigger a Smash & Grab alert. Any signs of internal reconnaissance or lateral movement from the Exchange server should be reviewed carefully, as these alerts would indicate attacker movement deeper into the network.

Detecting Hafnium:remote access detection

Vectra customers with Cognito Recall or Cognito Stream should review connections to and from their Exchange server. In instances where Vectra sensors have visibility into out-to-in traffic to their Exchange servers, teams should check for connection attempts from any of the following IPs: 165.232.154.116, 157.230.221.198, and 161.35.45.41. Use the below queries to find potentially impacted hosts. 

{

 "query": {

   "bool":{

    "should": [

       {

        "match_phrase": {

          "id.orig_h": "165.232.154.116"

         }

       },

       {

        "match_phrase": {

          "id.orig_h": "157.230.221.198"

         }

       },

       {

        "match_phrase": {

          "id.orig_h": "161.35.45.41"

         }

       }

     ],

    "minimum_should_match": 1

   }

 }

}

As always, Vectra recommends that customers update their Exchange servers with the available patches from Microsoft as soon as possible, or limit the external access to these Exchange servers until a patch can be applied.

To learn more how Vectra can help you if you think you may have been compromised by the breach, schedule a demo to see how Vectra Cognito can detect and stop attacks like these in your organization or contact us.

About the author

John Mancini

John Mancini leads the product management of machine learning-based threat detection algorithms at Vectra. He is a product-driven technologist with extensive experience research, development and design of software backed by machine learning and AI. Previously, John held the position of lead data scientist and received a patent for an improved method, system, and computer program product for identifying malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

Author profile and blog posts

Most recent blog posts from the same author

Artificial intelligence

Vectra Threat Intelligence: the Icing on the Cake

August 6, 2020
Read blog post
Threat detection

Azure AD Security Solutions - Azure AD Detection Coverage

February 4, 2021
Read blog post
Breach

Hafnium Attack Exploits On-premise Microsoft Exchange Servers

March 4, 2021
Read blog post