Microsoft revealed multiple zero-day exploits being used to attack Exchange Servers in early March, and we have already discussed the biggest malware threats to jump on the bandwagon in our previous episode. DearCry Ransomware, Black Kingdom Ransomware & Lemon Duck crypto miner successfully exploited the vulnerabilities that left Exchange Servers exposed, but that would not have been possible without HAFNIUM, a hacking group that is believed to operate from China.
According to a Microsoft blog post shared on March 2nd, 2021, “HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.” Since HAFNIUM is a state-sponsored group, it is possible that it will not be deployed for anything else but cyber espionage; however, it would be naive to think that regular computer users cannot be affected by cyber attackers who primarily target larger entities and the data they possess.
The goal of the attackers hiding behind the HAFNIUM mask is to exfiltrate sensitive data, and they have proven how efficient they can be by successfully exploiting server-side request forgery (CVE-2021-26855), insecure deserialization (CVE-2021-26857), post-authentication arbitrary file write (CVE-2021-26858), and post-authentication arbitrary file write (CVE-2021-27065) vulnerabilities. The vulnerabilities that made attacks on the Microsoft Exchange Servers possible.
Once HAFNIUM discovered the vulnerabilities and exploited them, the attackers leveraged the compromised servers to deploy malicious web shells. Unfortunately, using the backdoors, attackers could steal sensitive data. The vulnerabilities also permitted the attackers to acquire the Exchange offline address books containing information about the targeted organizations.
Recently, the FBI has taken a page out of the HAFNIUM handbook and has been hacking into vulnerable systems using the same backdoors. Of course, the bureau is doing that not to exploit more security cracks, exfiltrate data, or perform other malicious actions. Instead, they are using the vulnerabilities to provide protection against HAFNIUM. The Department of Justice released a statement on April 13th revealing that the FBI discovered hundreds of HAFNIUM-related web shells that were not yet removed from vulnerable systems. FBI moved in to “maintain and escalate persistent, unauthorized access to U.S. networks.” The web shells’ removal was performed using a command specifically designed to locate and delete those web shells alone.
Unsurprisingly, the FBI’s actions have caused heated discussions among cybersecurity experts and regular computer users. In an unprecedented move, the government took charge against an aggressive hacking group by accessing the affected Microsoft Exchange Servers, potentially without alerting their owners. All in all, the operation proved to be successful as vulnerable servers were, eventually, cleared from malicious web shells.