Published: in News

HAFNIUM targeting Exchange Servers with 0-day exploits

By Sam Sheridan - 3rd March, 2021

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Security updates are also available for Microsoft Exchange 2010 SP3, if you haven't upgraded Exchange 2010 to SP3 then this will need to be done before you can apply the patch.

Microsoft has posted a blog post on these new security updates.


Microsoft - March 2021: HAFINUM targeting exchange servers



exploit microsoft microsoft exchange