HAFNIUM

Threat Actor updated 4 months ago (2024-05-16T20:17:38.287Z)

Download STIX

Preview STIX

Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microsoft Exchange Server, leading to an unusually high number of incidents that year. They used this vulnerability to authenticate with the Exchange server and write files to any path on the server. Moreover, they deployed Web shells for remote access on thousands of corporate systems, often evading detection by exploiting the Windows Task Scheduler to execute hidden scheduled tasks. The group's malicious activities continued into 2023, where they utilized an unconventional method of tampering with scheduled tasks to establish persistent connections. This was achieved by modifying the registry keys in their Tarrask malware. Hafnium, also known as Silk Typhoon, used this flaw to conceal their malicious activity on infected endpoints while establishing persistence. The level of escalation in use by Hafnium and its subsequent use by several other actors suggests the same exploit may have been shared or leaked. Rapid7 observed exploitation of the same victim by multiple different actors (Hafnium and coinminer drops) within a two-week timeframe in 2023. This could indicate opportunistic behavior from other attackers looking to use the footholds placed by Hafnium, or even researchers using the same exploit to identify systems that have been successfully compromised. Indicators of compromise (IOCs) associated with Hafnium include specific filenames like "system_web.aspx" and "outlooken.aspx", and certain command patterns executed via webshells. As of March 2021, the Exchange Server team released a script for checking Hafnium IOCs, aiding in the detection and mitigation of this threat.

Description last updated: 2024-05-16T20:16:58.049Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Microsoft

Vulnerability

State Sponso...

Exploits

Apt

Zero Day

Espionage

Malware

exploited

Iis

Windows

exploitation

Web Shell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
China Chopper	Unspecified	2	China Chopper is a well-known malware that has been utilized extensively by various cyber threat actors, including the notorious BRONZE UNION group. This web shell, designed to provide remote access and control over compromised web servers, was found embedded in multiple SharePoint server webshells

Source Document References

Information about the HAFNIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	4 months ago	To the Moon and back(doors): Lunar landing in diplomatic missions
DARKReading	5 months ago	FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat
CERT-EU	8 months ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of telecommunication companies, internet service providers, and the data services sector
CERT-EU	8 months ago	UK finance firms faced a torrent of ransomware attacks in 2023 as threat actors ramped up activities \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	Hackers Modifying Registry Keys and Establishing Persistence \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Q4 2023 Security Use Cases: Insights From Success Services
MITRE	9 months ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
CERT-EU	10 months ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of U.S. federal civilian agency
CERT-EU	10 months ago	Reflecting on 20 years of Patch Tuesday \| MSRC Blog \| Microsoft Security Response Center
CERT-EU	a year ago	Chinese Silent Skimmer Attack Hits APAC and NALA Online Payment Firms
DARKReading	a year ago	Payment Card-Skimming Campaign Now Targeting Websites in North America
CERT-EU	a year ago	Nation-state actor targets govts in the Middle East and Africa using rare techniques
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of U.S. federal civilian agency
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of organizations via Microsoft Exchange Server vulnerability
CERT-EU	a year ago	View the latest outbreak alerts on cyber-attacks \| FortiGuard Labs
CERT-EU	a year ago	Cyber Command to expand 'canary in the coal mine' unit working with private sector
CERT-EU	a year ago	Three of the world's most expensive phishing attacks... and how they could have been prevented
CERT-EU	a year ago	State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments
Naked Security	a year ago	MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
MITRE	2 years ago	HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security Blog