The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months.
Microsoft Exchange Server Cyberattack Timeline
- Microsoft released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities. Source: Microsoft, March 7, 2021.
- The White House urged computer network operators to take further steps to gauge whether their systems were targeted amid a hack of Microsoft’s email program, saying a recent software patch still left serious vulnerabilities. Source: Reuters, March 7, 2021.
- The hack has impacted at least 60,000 Microsoft customers worldwide. Source: Bloomberg, March 7, 2021.
Credits : Research by ExecuteMalware
Indicators of Compromise (IOCs)
|Source Type||URI Path||Event ID / Message||File Types||Process Name|
|IIS / Exchange OWA server.||/owa/auth/Current/themes/resources/*||4104 / Invoke-PowerShellTCP*|
4688 / powershell.exe
4104 / powercat*
|*.php” OR Object_Name=”*.jsp” OR Object_Name=”*.js” OR Object_Name=”*.aspx” OR Object_Name=”*.asmx” OR Object_Name=”*.cfm” OR Object_Name=”*.shtml|
C:\\ProgramData\\*.rar” OR TargetFilename=”C:\\ProgramData\\*.zip” OR TargetFilename=”C:\\ProgramData\\*.7z
|umworkerprocess.exe*” OR Process_Name=”*UMService.exe*|
If you havent patched yet , use above indicators to create a better rules in your SIEM for faster detection and block the external IP’s.