HAFNIUM targeting Exchange Servers March 2021 and related articles Print

  • HAFNIUM, 0-day exploits, Exchange Server 2019, Exchange Server 2016, Exchange Server 2013, Exchange Server 2010 Service Pack 3
  • 0

HAFNIUM targeting Exchange Servers March 2021 and related articles

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.

Please see this Article that describes attack :



Patch depending on your current CU:


Description of Security Update: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ 

Attack details

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:

Screenshot of web shell code

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

  • Using Procdump to dump the LSASS process memory:

  • Using 7-Zip to compress stolen data into ZIP files for exfiltration:

  • Adding and using Exchange PowerShell snap-ins to export mailbox data:

  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:

  • Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise.


Tools used to detect and clean:

- Microsoft Safety Scanner:  https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download and how to use: https://github.com/microsoft/CSS-Exchange/blob/main/Security/Defender-MSERT-Guidance.md 

- Microsoft Defender: using latest definitions

- Test-Hafnium vulnerability checkerhttps://github.com/microsoft/CSS-Exchange/tree/main/Security 



Applies to: Exchange Server 2019, Exchange Server 2016, Exchange Server 2013, Exchange Server 2010 Service Pack 3

courtesy of NETSERVERS
by Javier Oblitas 3/15/2021  ver 001
https://www.netservers.com custom Hosting...introducing fast Solid State Hosting where everything is possible!
https://www.vndx.com Web Solutions and custom programming including Managed Hosting Solutions

Was this answer helpful?

« Back