The HAFNIUM Attack on the on-premises Microsoft Exchange Server

On March 2, Microsoft announced that its on-premises Exchange Server had experienced multiple 0-day exploits. Microsoft commented: “In the attacks observed, the threat actor used…

Security Center of Excellence profile picture
Security Center of Excellence

March 18, 20213 minute read

On March 2, Microsoft announced that its on-premises Exchange Server had experienced multiple 0-day exploits.

Microsoft commented: “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

In the attacks observed, the threat actor used these vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.

These vulnerabilities are addressed in the following Microsoft Security Response Center (MSRC) releases – Multiple Security Updates Released for Exchange Server and Guidance for Responders: Investigating and Remediating on-premises Exchange Server vulnerabilities. Microsoft strongly urges customers to update on-premises systems immediately.

Microsoft has declared that Exchange Online is not affected.

The OpenText™ Security Detection Engineering Team is closely monitoring the situation and developing tools to help customers mitigate potential risk from this cyberattack. The newly released detection rules for OpenText™ EnCase™ Endpoint Security CE 20.4 and CE 21.1 updates the product’s software detection rules with known indicators of compromise related to HAFNIUM.

OpenText recommends that customers update their on-premises systems immediately by taking the following steps:

Download and run the Microsoft Safety Scanner to find and remove planted webshells. Continue to monitor for webshell creations using the Endpoint Security filters released and linked below.

Apply any anomaly detection filters or advanced indicators of compromise (IoC) filters, released by OpenText, to search historical telemetry and behavioral indicators.

Conduct a threat hunt on your environment, and if evidence of this attack is found, conduct the following and digital forensics and incident response (DFIR) activities on the environment:

  • Immediately collect memory from devices for deeper analysis, looking to ensure threat actors did not gain escalated access to any potentially compromised systems.
  • Conduct an audit of the Active Directory to ensure no additional users were created during the breach.
  • Compose a timeline of the incident and look for potential lateral movement.
  • Validate webshells have been removed and remediate and any other malware found.
  • Identify all exfiltrated data from the company.

For assistance with identifying and addressing risks in your environment, contact the OpenText Security Services team.

More information

For more information, visit the Microsoft website or contact us through OpenText My Support.

Share this post

Share this post to x. Share to linkedin. Mail to
Security Center of Excellence avatar image

Security Center of Excellence

See all posts

More from the author

Threat alerts

Threat alerts

December 2021 December 14, 2021: Log4j Summary: Top US cybersecurity officials have warned of the zero-day vulnerability found in the Java logging library Apache Log4j….

1 minute read

Lessons from the SolarWinds attack: How to protect your business

Lessons from the SolarWinds attack: How to protect your business

By the time it was discovered in December, the SolarWinds cyber attack had evaded the security defenses of and penetrated at least 18,000 government agencies,…

5 minute read

To do, know and be… ask, why not me!

To do, know and be… ask, why not me!

Authored by Maureen Kaplan, VP Sales, OpenText Security It was the response to her childhood ‘declarations of I can’t’ that changed Lieutenant General (ret) Nadja West’s…

4 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.