Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

30,000 U.S. organizations breached by cyber espionage group Hafnium

email security

<a href='https://www.freepik.com/photos/business'>Business photo created by creativeart - www.freepik.com</a>

March 9, 2021

At least 30,000 organizations in the U.S. have been hacked by a Chinese cyber espionage unit, known as "Hafnium." The group is targeting and exploiting security vulnerabilities in Microsoft Exchange Server email software. 

Last week, Microsoft released emergency security updates to fix the vulnerabilities and announced the group operates from China with the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. 

According to KrebsOnSecurity, security experts say Hafnium has dramatically increased their attacks on any vulnerable, unpatched Exchange servers worldwide, leaving behind a "web shell," - a malicious script that provides an attacker with a convenient way to launch attacks using a compromised web server. 

Two cybersecurity experts told KrebsOnSecurity the group has taken hold of "hundreds of thousand" of Microsoft Exchange Servers worldwide. 

Mat Gangwer, senior director, Sophos Managed Threat Response, explains, “These vulnerabilities are significant and need to be taken seriously. They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk. Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells. This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present. 

Gangwer says, "Organizations running an on-premises Exchange server should assume they are impacted, and first and foremost patch their Exchange devices and confirm the updates have been successful. However, simply applying patches won’t remove artifacts from your network that pre-date the patch. Organizations need human eyes and intelligence to determine whether they have been impacted and to what extent, and, most importantly to neutralize the attack and remove the adversary from their networks. Organizations should review the server logs for signs that an attacker may have exploited their Exchange server. Many of the current known indicators of compromise are web shell-based, so there will be file remnants left in the Exchange server. An overview of files and any modifications to them is therefore important. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution."

Gangwer explains that "if you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next. You need to understand how long or impactful this activity may have been. What is the gap between appearance of the web shell or other artifacts in your network and the moment of patching or discovery? This is often a good time to ask for external support if you’re not sure what to do. Third-party forensic and incident response can be vital at this stage, providing experienced threat hunting and human intelligence that can dive deep into your network and find the attackers."

Oliver Tavakoli, CTO at Vectra explains "the hack involved the combined exploitation of multiple 0-day vulnerabilities, starting with an OWA SSRF vulnerability and then proceeding to the exploitation of other vulnerability to burrow deeper into the inner workings of the server. Patching their Exchange servers will prevent an attack if their Exchange server has not already been compromised. But it will not undo the foothold attackers have on already compromised Exchange server. Microsoft has published a technical blog on how to recognize signs that an Exchange Server is already compromised. Remediation will not be simple – it will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets and restoring the remaining backup data.

Tavakoli says, "Complex software which has been around for a long time (Exchange and OWA certainly qualify in this regard) will almost invariably contain flaws which given sufficient motivation, resources and skill will be discovered and exploited. The key to resilience in these cases is to have the capability to detect downstream activity necessary to capitalize on the foothold gained – the good news is that this activity (e.g. the use of a reverse shell, the abuse of PowerShell, etc.) almost always follows more standard tradecraft which can be detected by Network Detection and Response products."

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), says, “This attack chain, and the vulnerabilities exploited in it, are strong indicators about the originator of the Hafnium attack, as a substantial amount of time and resource is needed to fully develop such an attack method. The vulnerabilities used in this chain can be mitigated individually, the full potential lies in the coordination displayed. Server-side forging request vulnerabilities, the one used to start the attack chain are discovered regularly in various software products and documents one more time that software is never 100% secure, it is just that the vulnerabilities haven’t been found yet and are therefore ‘unknowns’. The attack targets on-prem installation of Microsoft Exchange, and using OWA as an external interface is a clear indicator that the initial attack vector, port 443 is open to the public. An organization trying to verify whether they have been compromised already or trying to limit their exposure to future zero days should employ the essential controls recommended by CIS, at least Secure Configuration Management to harden the infrastructure limiting additional exposures and privilege escalations and Integrity Monitoring to control changes happening to the infrastructure which will help identify any foothold established.”

Michael Isbitski, Technical Evangelist at Salt Security, says the hack seems like it's web-born for the initial attack vector. "I suspect this will impact a lot of organizations that are still operating their own mail infrastructure rather than using a SaaS like Office365. An attacker can potentially submit an unauthenticated HTTP request to someone's on-prem Exchange servers by overloading cookies, and Exchange in turn processes any submitted commands embedded in the web request within the backend. It'll go from web channel down to binary and OS level issues very quickly in the attack chain. The moral of the story is to make sure your Exchange servers are patched, or use Office365 and let Microsoft handle it. Microsoft also created a few scripts that Exchange admins can run in their environments to check whether they have been compromised. The scripts look for those crafted HTTP requests in server logs and the subsequent binary and OS commands attackers issued to maintain persistence. Microsoft also pre-generated some code for Azure (Sentinel) customers to simplify the process of checking for compromise by admin teams.”

Isbitski suggests some useful resources include: https://github.com/microsoft/CSS-Exchange/tree/main/Security  and https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

KEYWORDS: cyber espionage cyber security email security enterprise security hacking risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Generic Image for Cyber Security

    NIE: U.S. Targeted for Sustained Cyber-Espionage Campaigns

    See More
  • ransomware cyber

    Hades ransomware may link to Hafnium attack group

    See More
  • cyber 2 responsive default

    Study says 75% of U.S. Organizations are not Prepared to Respond to Cyber Attacks

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing