HAFNIUM

Threat Actor updated 5 months ago (2024-05-16T20:17:38.287Z)
Download STIX
Preview STIX
Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microsoft Exchange Server, leading to an unusually high number of incidents that year. They used this vulnerability to authenticate with the Exchange server and write files to any path on the server. Moreover, they deployed Web shells for remote access on thousands of corporate systems, often evading detection by exploiting the Windows Task Scheduler to execute hidden scheduled tasks. The group's malicious activities continued into 2023, where they utilized an unconventional method of tampering with scheduled tasks to establish persistent connections. This was achieved by modifying the registry keys in their Tarrask malware. Hafnium, also known as Silk Typhoon, used this flaw to conceal their malicious activity on infected endpoints while establishing persistence. The level of escalation in use by Hafnium and its subsequent use by several other actors suggests the same exploit may have been shared or leaked. Rapid7 observed exploitation of the same victim by multiple different actors (Hafnium and coinminer drops) within a two-week timeframe in 2023. This could indicate opportunistic behavior from other attackers looking to use the footholds placed by Hafnium, or even researchers using the same exploit to identify systems that have been successfully compromised. Indicators of compromise (IOCs) associated with Hafnium include specific filenames like "system_web.aspx" and "outlooken.aspx", and certain command patterns executed via webshells. As of March 2021, the Exchange Server team released a script for checking Hafnium IOCs, aiding in the detection and mitigation of this threat.
Description last updated: 2024-05-16T20:16:58.049Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Microsoft
Vulnerability
State Sponso...
Exploits
Apt
Zero Day
Espionage
Malware
exploited
Iis
Windows
exploitation
Web Shell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The China Chopper Malware is associated with HAFNIUM. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fouUnspecified
2
Source Document References
Information about the HAFNIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
5 months ago
DARKReading
6 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Naked Security
a year ago
MITRE
2 years ago