forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hafnium_group.yml
38 lines (36 loc) · 2.01 KB
/
hafnium_group.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: HAFNIUM Group
id: beae2ab0-7c3f-11eb-8b63-acde48001122
version: 1
date: '2021-03-03'
author: Michael Haag, Splunk
description: HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange
CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
narrative: 'On Tuesday, March 2, 2021, Microsoft released a set of security patches
for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities
known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange
2010 security update has also been issued, though the CVEs do not reference that
version as being vulnerable.\
While the CVEs do not shed much light on the specifics of the vulnerabilities or
exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector
that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the
Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858,
and CVE-2021-27065) were also identified as part of this activity. When chained
together along with CVE-2021-26855 for initial access, the attacker would have complete
control over the Exchange server. This includes the ability to run code as SYSTEM
and write to any path on the server.\
The following Splunk detections assist with identifying the HAFNIUM groups tradecraft
and methodology.'
references:
- https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/
tags:
analytic_story: HAFNIUM Group
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection