The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months.
Microsoft Exchange Server Cyberattack Timeline
- Microsoft released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities. Source: Microsoft, March 7, 2021.
- The White House urged computer network operators to take further steps to gauge whether their systems were targeted amid a hack of Microsoft’s email program, saying a recent software patch still left serious vulnerabilities. Source: Reuters, March 7, 2021.
- The hack has impacted at least 60,000 Microsoft customers worldwide. Source: Bloomberg, March 7, 2021.
Credits : Research by ExecuteMalware
Indicators of Compromise (IOCs)
| Source Type | URI Path | Event ID / Message | File Types | Process Name | |
| IIS / Exchange OWA server. | /owa/auth/Current/themes/resources/* | 4104 / Invoke-PowerShellTCP* 4688 / powershell.exe 4104 / powercat* 4688 11 4663 1 | *.php” OR Object_Name=”*.jsp” OR Object_Name=”*.js” OR Object_Name=”*.aspx” OR Object_Name=”*.asmx” OR Object_Name=”*.cfm” OR Object_Name=”*.shtml C:\\ProgramData\\*.rar” OR TargetFilename=”C:\\ProgramData\\*.zip” OR TargetFilename=”C:\\ProgramData\\*.7z | umworkerprocess.exe*” OR Process_Name=”*UMService.exe* |
If you havent patched yet , use above indicators to create a better rules in your SIEM for faster detection and block the external IP’s.