Hafnium – Microsoft Exchange Server 0-Day Vulnerability

OVERVIEW | 0-day

As early as January 6, 2021, multiple Microsoft Exchange 0-day vulnerabilities had been publicly disclosed. These 0-day vulnerabilities were found to be actively exploited by the threat group Hafnium. This appears to be a nation-state attack that is currently targeting as many as 30,000 organizations in the United States and hundreds of thousands worldwide. Based on the current pool of targeted victims, these attacks do not appear to be targeting any specific sectors or countries.

Per BleepingComputer, there are four 0-day vulnerabilities that were being exploited:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Microsoft released patches for the exploited vulnerabilities on March 2, 2021. A PowerShell script called “Test-ProxyLogon.ps1” was also published by Microsoft to run against the Microsoft Exchange Servers for indicators of compromise. At this time, multiple groups of threat actors (other than the Hafnium group) were also known to be exploiting these vulnerabilities to compromised Microsoft Exchange Servers.

Hafnium Attack Details

These attacks began with reconnaissance on vulnerabilities against the potential servers from the adversary. For Hafnium, following the reconnaissance to gain initial access, they dropped webshells onto the affected servers. Based on our research, webshells dropped onto the victim’s servers were mainly variants related to China Chopper-like Webshell scripts.

The adversary was observed to have deployed these webshell scripts within web directory folders to establish persistence within the systems. The team also observed unusual HTTP POST requests of single letter or generically named Javascript files being used as part of the exploit attempt. CrowdStrike has decoded a sample of such scripts returning initial commands being passed to a dropped webshell. SetObject for OABVirtualDirectory commands were being used to point to the malicious JavaScripts. These webshells potentially allow attackers to perform malicious actions or steal data from the compromise servers.

Post exploitation activity such downloading PowerCat from GitHub was observed from this attack. PowerCat is used to connect to a remote server and open connections to the remote server. Activities such as utilization of exchange PowerShell snap-ins were observed to export mailbox data and stolen files were also observed to be compressed prior to exfiltration.

Stronger Together

Proficio’s Threat Intelligence team is continually researching and collecting IOCs with regards to these attacks. We continue to gather the latest IOCs available and many clients have also been providing additional Exchange logs and malicious artifacts, which we have used to find additional indicators to help in our threat hunting. With the indicators gathered, the team is able to quickly identify positive hits such as dropped files in client’s server.

Other than the public IOCs and additional indicators found by the team, we are also looking at other TTPs such as potential download traffic of PowerCat, large data transfers, access to file sharing sites and other unusual traffic that could help to identify the threat. This is an ongoing effort to help identify clients that may have been compromised and ensure our clients are not being targeted.

Precautionary Measures

Prevention is always better than cure. Given these exploits are still actively seen in the wild, we recommend organizations perform patching or upgrades to any on-premise Exchange environments to help mitigate the risk of successful exploit attempts; for those that have been exploited or are unsure of whether their servers have been compromised from these vulnerabilities prior to the patch, we strongly recommend investigating Microsoft Exchange Servers using Microsoft published PowerShell scripts that will scan for any indicators of compromise within the servers. Patch recommendation and PowerShell scripts provided by Microsoft team can be found here:


For any concerned Proficio clients, please reach out to your assigned Client Success Manager or Security Advisors.

Reference links

Vulnerability: Zero-Day Flash Flaw

June 7, 2018 – Security Firm Qihoo 360 identified a brand new zero-day flaw in Adobe Flash that could leave users vulnerable to executing malicious software without permission.
Attackers have been able to gain access to victim’s devices by sending emails that contain exploited Flash content that has been disguised as a Microsoft Office document. Victims download the document not realizing that it contains a malicious SWF file that’s connected to a remote server. At this time attackers appear to be only targeting organizations located in the Middle East.

Tracking the flaw – (CVE-2018-5002 ) – Adobe has issued an advisory summarizing and providing patches for the vulnerability across all OS for Adobe Flash Desktop Runtime and Chrome/Edge/IE browser plugins. The versions of Flash that are vulnerable to this zero-day are versions and earlier. Adobe has recently released a new flash update (version that patches the vulnerability.

The Proficio Threat Intelligence Recommendations:

  • Immediately ensure that Adobe Flash is updated to the latest version.
  • Require permission each and every time Flash content attempts to run.

General Info – Click Here

Sandworm – Microsoft Windows Zero-day Vulnerability

What is it?

CVE-2014-4114 (aka “Sandworm”): A zero-day vulnerability that allows an attacker to remotely execute arbitrary code.

Who is vulnerable?

Sandworm is a zero-day impacting all versions of Microsoft Windows from Vista SP2 up to Windows 8.1, as well as Windows Server 2008 and 2012.

Where has it been seen?

Used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.

How does it work?

Non-technical: opening a specially crafted file will allow the remote code execution. This has been seen with Powerpoint files in the wild.

Technical: “The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands.”
[copied from source: ]

Additional Notes:

Microsoft classified MS14-060 as “important”, not “critical”, because the attack requires a user to open a file.

Security Operations Center Recommendations:

Update all vulnerable systems as soon as possible. Microsoft Bulletin MS14-060 fixes this bug:

Additionally, Microsoft has released a total of eight security bulletins and updates that address them as of October 14, 2014. In total, 24 vulnerabilities are addressed in the updates. Three of them are classified as critical. More information can be found here: