Microsoft warning companies about four in-the-wild exploits against Exchange server by “Hafnium” threat actor.

📅 Discussions

2021-03-02

• New nation-state cyberattacks (Microsoft) 🏁
• HAFNIUM targeting Exchange Servers with 0-day exploits (Microsoft Security) ⭐️
• Microsoft says China-backed hackers are exploiting Exchange zero-days (TechCrunch)
• Microsoft warns of state-sponsored Chinese hackers exploiting multiple zero-days (CyberScoop)
• Microsoft says Chinese hackers targeted groups via server software ((Reuters)
• Microsoft Warns of Chinese Hackers Targeting Email Product (WSJ)
• Microsoft: 4 Exchange Server Zero-Days Under Attack by Chinese Hacking Group (SecurityWeek)
• Hafnium Attack Group Exploiting Four Exchange Zero Days (Decipher)

2021-03-03

• cyber.dhs.gov - Emergency Directive 21-02
• Mitigate Microsoft Exchange Server Vulnerabilities - CISA ⭐️
• Oppdatér Microsoft Exchange snarest - Nasjonal sikkerhetsmyndighet
• Victims of Microsoft Exchange Server zero-days emerge

2021-03-04

• At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software — Krebs on Security

2021-03-05

• ProxyLogon
• Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims - WIRED
• Red Canary on Twitter: “What we’re observing is consistent with DLTminer precursor activity uncovered by @vmw_carbonblack in 2019, specifically its use of scheduled tasks to execute PowerShell and make external network connections. https://t.co/bKFLDHP7

2021-03-08

• March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server - Microsoft Tech Community

2021-03-09

• Dave Kennedy on Twitter: “Crypto miners being installed on compromised exchange servers.. definitely expanding and escalating. Patch != Protected if already compromised… Need to check for artifacts. Starting point, run below on exchange servers: https:/

2021-03-10

• MalwareTech on Twitter: “🚨 Hafnium Exchange RCE Exploit 🚨 I’ve confirmed there is a public PoC floating around for the full RCE exploit chain. It’s has a couple bugs but with some fixes I was able to get shell on my test box.” / Twitter
• At least 10 hacking groups using Microsoft software flaw: researchers - Reuters

2021-03-12

• Microsoft Probing Whether Leak Played Role in Suspected Chinese Hack - WSJ
• Microsoft Exchange Server hacks ‘doubling’ every two hours - ZDNet

🐾 IOC & Forensics

• HAFNIUM targeting Exchange Servers with 0-day exploits (Microsoft Security)
• sourceincite/CVE-2021-24085 (github)
• Rapid7
• CVE-2021-27065 (Microsoft)
• CVE-2021-26858 (Microsoft)
• CVE-2021-26857 (Microsoft)
• CVE-2021-26855 (Microsoft)
• Operation Exchange Marauder (Volexity) ⭐️
• Please leave an exploit after the beep (Dubex) ⭐️
• Mitigate Microsoft Exchange Server Vulnerabilities - CISA ⭐️

🛠 Mitigations

• Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center ⭐️
• March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server - Microsoft Tech Community