{"id":8706,"date":"2021-04-09T07:13:00","date_gmt":"2021-04-09T14:13:00","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?post_type=patch_watch&p=8706"},"modified":"2023-03-03T14:25:41","modified_gmt":"2023-03-03T21:25:41","slug":"nine-reasons-to-patch-hafnium-vulnerabilities","status":"publish","type":"patch_watch","link":"https:\/\/10.42.32.162\/patch_watch\/nine-reasons-to-patch-hafnium-vulnerabilities\/","title":{"rendered":"Nine Reasons to Patch Hafnium Vulnerabilities"},"content":{"rendered":"
\n

Chinese state-sponsored threat group named \u201cHAFNIUM\u201d targets attacks on-premises versions of Microsoft Exchange Servers.<\/span><\/strong><\/span><\/p>\n<\/blockquote>\n

On March 3, following Microsoft’s release of out-of-band security patches to address multiple zero-day bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in on-premises versions of Microsoft Exchange Server, CISA\u00a0issued<\/a>\u00a0an emergency directive alert mitigate product vulnerabilities.<\/p>\n

Click here to find Patches<\/a><\/p>\n

Nine Reasons to Patch Hafnium Vulnerabilities<\/strong><\/h2>\n
    \n
  1. \n

    All four CVEs are tied to Dearcry ransomware<\/p>\n<\/li>\n

  2. \n

    Nine APT groups are exploiting these vulnerabilities – Hafnium, Winnti , Tick, LuckyMouse, Websiic, Calypso, Tonto Team, Mikroceen and Vicious Panda Group<\/p>\n<\/li>\n

  3. \n

    PlugX and ShadowPad Malware are associated with these four CVEs.<\/p>\n<\/li>\n

  4. \n

    Needless to say all vulnerabilities are weaponized and NVD has rated them with high severity.<\/p>\n<\/li>\n

  5. \n

    Initially, the US was the most targeted country but ended up impacting customers worldwide exposing 54,065 assets.<\/p>\n<\/li>\n

  6. \n

    This is a fixable problem because patches are available for all four vulnerabilities and all these vulnerabilities are detected by Qualys, Tenable, and Nexpose scanners.<\/p>\n<\/li>\n

  7. \n

    The Microsoft Exchange Server team released<\/a> a script to check the HAFNIUM indicators of compromise (IOCs)<\/p>\n<\/li>\n

  8. \n

    Once the systems are compromised by these vulnerabilities, the exchange server is totally under the threat actors control that matures into more devastating outbreaks, such as ransomware attacks and data exfiltration.<\/p>\n<\/li>\n<\/ol>\n

    <\/b><\/p>\n

    Microsoft also patched three unrelated remote code execution (RCE) vulnerabilities (CVE-2021-26412, CVE-2021-26854, CVE-2021-27078) in Microsoft Exchange Server in addition to the four zero-day vulnerabilities. Organizations must take the ongoing situation into consideration and patch these vulnerabilities immediately.<\/p>\n

    <\/b><\/p>\n

    Impact<\/strong><\/h2>\n

    These vulnerabilities could be used to enact a four-step attack –<\/p>\n

      \n
    1. \n

      When exploited, these vulnerabilities would gain initial access to the Exchange server.<\/p>\n<\/li>\n

    2. \n

      HAFNIUM operators would install web shells on the compromised server, which potentially allow attackers to steal data and drop malware to compromise the targets further.<\/p>\n<\/li>\n

    3. \n

      Then, perform a memory dump of the LSASS.exe executable to harvest cached credentials using this web shell.<\/p>\n<\/li>\n

    4. \n

      Thus, they export mailboxes and steal data from the Exchange server and upload it to file-sharing services, such as MEGA, where they could later retrieve it.<\/p>\n<\/li>\n<\/ol>\n

      The New Malware<\/strong><\/h2>\n

      Microsoft Threat Intelligence Center (MSTIC) has identified NOBELIUM, the new threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware. These threat actors are using both malware and backdoor to gain access by leveraging networks. Lately, Fire Eye tracked three new malwares named GoldMax, GoldFinder, and Sibot, which perform action on targeted networks and evade detection.<\/p>\n

      It has been observed that stolen credentials are utilized to access cloud services like email, storage, and maintain access to networks via virtual private networks (VPNs) and remote access tools.<\/p>\n

      <\/a>