New Blog Post | HAFNIUM targeting Exchange Servers with 0-day exploits

%3CLINGO-SUB%20id%3D%22lingo-sub-2179973%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20HAFNIUM%20targeting%20Exchange%20Servers%20with%200-day%20exploits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179973%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHAFNIUM%20targeting%20Exchange%20Servers%20with%200-day%20exploits%20-%20Microsoft%20Security%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAuthor(s)%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%20class%3D%22authors%22%3E%0A%3CLI%20class%3D%22author-item%22%3E%3CSPAN%20class%3D%22author-name%20x-hidden-focus%22%3EMicrosoft%20Threat%20Intelligence%20Center%20(MSTIC)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22author-item%22%3E%3CSPAN%20class%3D%22author-name%22%3EMicrosoft%20365%20Defender%20Threat%20Intelligence%20Team%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22author-item%20x-hidden-focus%22%3E%3CSPAN%20class%3D%22author-name%22%3EMicrosoft%20365%20Security%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221614719677817.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260298i819B5E7AE2EDB094%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%221614719677817.png%22%20alt%3D%221614719677817.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%E2%80%83%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMicrosoft%20has%20detected%20multiple%200-day%20exploits%20being%20used%20to%20attack%20on-premises%20versions%20of%20Microsoft%20Exchange%20Server%20in%20limited%20and%20targeted%20attacks.%20In%20the%20attacks%20observed%2C%20the%20threat%20actor%20used%20these%20vulnerabilities%20to%20access%20on-premises%20Exchange%20servers%20which%20enabled%20access%20to%20email%20accounts%2C%20and%20allowed%20installation%20of%20additional%20malware%20to%20facilitate%20long-term%20access%20to%20victim%20environments.%20Microsoft%20Threat%20Intelligence%20Center%20(MSTIC)%20attributes%20this%20campaign%20with%20high%20confidence%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.microsoft.com%2Fon-the-issues%2F%3Fp%3D64505%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHAFNIUM%3C%2FA%3E%3CSPAN%3E%2C%20a%20group%20assessed%20to%20be%20state-sponsored%20and%20operating%20out%20of%20China%2C%20based%20on%20observed%20victimology%2C%20tactics%20and%20procedures.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2179973%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

 

HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security

Author(s): 

  • Microsoft Threat Intelligence Center (MSTIC)
  • Microsoft 365 Defender Threat Intelligence Team
  • Microsoft 365 Security

1614719677817.png

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

0 Replies