Hafnium Set Its Eyes on Microsoft

The scoop

• Multiple zero-day exploits were used to launch attacks against on-premise versions of Microsoft Exchange Server. This attack has been attributed to Hafnium, a Chinese state-sponsored threat actor. The exploited flaws include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
• There’s a twist to the story though. The CVE-2021-26855 has been found to be abused in the wild by LuckyMouse, Calypso, and Tick cyberespionage groups in Europe, the Middle East, Asia, and the U.S, said ESET.

Responses

• The CISA issued an emergency directive, which is a rare occasion as it necessitates the entire U.S. government to protect its cybersecurity.
• Microsoft released updates for all the flaws and urged its customers to patch the affected systems.

Spilling Hafnium facts

• This threat actor is primarily active across the U.S. and targets a variety of industry verticals, including infectious healthcare researchers, defense contractors, law firms, higher education institutes, and NGOs.
• Although the group is based in China, its operations are conducted via leased VPNs in the U.S.
• Previously, Hafnium abused flaws in internet-facing servers to compromise users. It has used legit open-source frameworks, such as Covenant, for C2. after a successful infiltration, it exports data to file sharing sites.

Microsoft-related attacks

• With the increase in the usage of Office 365, attackers have started targeting users with Teams, Outlook, and other Microsoft-related phishing lures. Almost 50% of the phishing lures used last year were aimed at stealing credentials by using Microsoft-related lures.
• A Windows 10 bug was discovered that could enable threat actors to corrupt an NTFS-formatted hard drive with a one-line command. Although Microsoft has released an undocumented patch for Windows 10 Insider ‘Dev’ channel, no fix has yet been issued for Windows 10 21H1 ‘Beta’ preview.

The bottom line