Hafnium Set Its Eyes on Microsoft

It goes without saying that nation-state actors are increasingly evolving and cyberattacks are growing to be more challenging with every passing day. The latest cyber assault comes in the form of an attack on Microsoft.

The scoop

  • Multiple zero-day exploits were used to launch attacks against on-premise versions of Microsoft Exchange Server. This attack has been attributed to Hafnium, a Chinese state-sponsored threat actor. The exploited flaws include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
  • There’s a twist to the story though. The CVE-2021-26855 has been found to be abused in the wild by LuckyMouse, Calypso, and Tick cyberespionage groups in Europe, the Middle East, Asia, and the U.S, said ESET.

Responses

  • The CISA issued an emergency directive, which is a rare occasion as it necessitates the entire U.S. government to protect its cybersecurity.
  • Microsoft released updates for all the flaws and urged its customers to patch the affected systems.

Spilling Hafnium facts

  • This threat actor is primarily active across the U.S. and targets a variety of industry verticals, including infectious healthcare researchers, defense contractors, law firms, higher education institutes, and NGOs.
  • Although the group is based in China, its operations are conducted via leased VPNs in the U.S.
  • Previously, Hafnium abused flaws in internet-facing servers to compromise users. It has used legit open-source frameworks, such as Covenant, for C2. after a successful infiltration, it exports data to file sharing sites.

Microsoft-related attacks

  • With the increase in the usage of Office 365, attackers have started targeting users with Teams, Outlook, and other Microsoft-related phishing lures. Almost 50% of the phishing lures used last year were aimed at stealing credentials by using Microsoft-related lures.
  • A Windows 10 bug was discovered that could enable threat actors to corrupt an NTFS-formatted hard drive with a one-line command. Although Microsoft has released an undocumented patch for Windows 10 Insider ‘Dev’ channel, no fix has yet been issued for Windows 10 21H1 ‘Beta’ preview.

The bottom line

The simplest thing to put out is that we need better global strategies for protection against cyberattacks. In the wake of the latest attacks by Hafnium, we are once again made to realize that organizations need to combine learning with innovation and users need to patch their software and stay alert. It’s time to fortify our collective defenses against the dark forces of the cyber world and move forward.

Source

Next Post

5 Steps for Investigating Phishing Attacks

Thu Mar 11 , 2021
Phishing is a common and effective cybercrime tool, but even the most sophisticated threat actors make mistakes that you can leverage in your investigations. In November 2020, Group-IB and INTERPOL revealed details about operation Falcon, which targeted members of a Nigerian cybercrime ring engaged in business email compromise (BEC) and phishing. The […]